Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEATURE : Define manifest when sending SBOM to Github Dependency #286

Open
Maxim-Durand opened this issue Nov 24, 2023 · 0 comments
Open

FEATURE : Define manifest when sending SBOM to Github Dependency #286

Maxim-Durand opened this issue Nov 24, 2023 · 0 comments

Comments

@Maxim-Durand
Copy link
Contributor

Feature request

Using the feature of SBOM generation and sending it to Github works very well except it doesn't send the manifest details.

Meaning if you scan an image like so:

- name: Run Trivy vulnerability scanner in fs mode
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: "fake_private_image:latest"
    scan-type: image
    format: 'github'
    output: 'dependency-results.sbom.json'
    github-pat: ${{ secrets.GITHUB_TOKEN }}
    severity: "MEDIUM,HIGH,CRITICAL"
    scanners: "vuln"
  env:
    TRIVY_USERNAME: "REDACTED"
    TRIVY_PASSWORD: "REDACTED"

If you look in github security alerts tab, you can see the following:
Screenshot_20231124_083840
It shows the vulnerabilities but without any specific manifest.
Using the example above it could specify the docker image scanned (i.e fake_private_image:latest in this example).

Proposed solution

When the user specifies format: github and scan-type: image, trivy-action could replace the manifest definition in the SBOM files by the docker image value instead ?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@Maxim-Durand