Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing manifest source_location when sending SBOM of an image to Github Dependency #300

Closed
wants to merge 0 commits into from
Closed

Changing manifest source_location when sending SBOM of an image to Github Dependency #300

wants to merge 0 commits into from

Conversation

Maxim-Durand
Copy link
Contributor

@Maxim-Durand Maxim-Durand commented Jan 20, 2024
edited
Loading

Fixes #286

Improves the feature to send scan results to Github by making sure in case we're scanning an image that the manifest shown in Github Dependency will show the image name and its tag.

Before this PR change, here's how the vulnerability would look in Github Dependency:

Screenshot_20240120_174723

After this PR change, here's how it looks:
Screenshot_20240120_174554

As you can see the image repo (I redacted this field as it's a private repo), name and tag are now shown instead of the default Python.

Here's how it looks in the manifest search:

Screenshot_20240120_174246

@simar7
Copy link
Member

simar7 commented Jan 24, 2024

@DmitriyLewen could you take a look?

@DmitriyLewen
Copy link
Contributor

Hello @Maxim-Durand

What do you think about adding these changes to Trivy?
I think it will be better this way because users who don't use trivy-action will be able to get these changes.
e.g. we can use ArtifactName here - https://github.com/aquasecurity/trivy/blob/fb36c4ed09efc3fc241d02713c4cc864b6c6a2c8/pkg/report/github/github.go#L107-L111

But I'm still not sure if I should use image name.
Docs says :The path of the manifest file relative to the root of the Git repository.:
изображение
Perhaps we need to use filepath from image.

@Maxim-Durand
Copy link
Contributor Author

Maxim-Durand commented Jan 24, 2024
edited
Loading

What do you think about adding these changes to Trivy? I think it will be better this way because users who don't use trivy-action will be able to get these changes.

You're totally right, I didn't know trivy supported reports to github.
I created the following PR in trivy aquasecurity/trivy#5999, and will update this one if needed later on.

Perhaps we need to use filepath from image.

If you're scanning the image Dockerfile then yes but in the case you're scanning a remote image you won't have a filepath available.

@Maxim-Durand Maxim-Durand marked this pull request as draft January 24, 2024 18:15
@RichardoC
Copy link

This would be very handy, I'm currently finding it difficult to tell whether it's the nightly build, or a release build that I scan nightly that has vulnerabilities because they show up the same way in the github security tab (via the sarif upload)

@DmitriyLewen
Copy link
Contributor

Hello @RichardoC
We are discussing adding these changes to the Trivy template. - aquasecurity/trivy#5999 (comment)
It will be great if you share your opinion on the changes being discussed based on your experience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FEATURE : Define manifest when sending SBOM to Github Dependency
4 participants
@Maxim-Durand @simar7 @DmitriyLewen @RichardoC