Azure / container-scan

A GitHub action to help you scan your docker image for vulnerabilities
MIT License
219 stars 42 forks source link

Is scanitizer still an actively maintained project? #124

Open larryclaman opened 2 years ago

larryclaman commented 2 years ago

The container-scan docs say Install Scanitizer (currently in Beta) on your repository for more convenient management of allowedlist file. The link for Scanitizer takes me to https://github.com/apps/scanitizer, but there's virtually no information on this page. There's a link on that page that is supposed to be the scanitizer repo (https://github.com/github/scanitizer/), but that link returns a 404 not found error.

koushdey commented 2 years ago

@larryclaman Scanitizer is internal to GitHub org hence you are not able to see the repo contents. But yes we maintain it. Is there any concern you want to share?

larryclaman commented 2 years ago

@koushdey It's really just a general level of comfort that I'm looking for. As I noted, the guidance for container-scan advises me to run scanitizer to maintain my CVE lists. As far as I can tell, there's ZERO documentation about scanitizer; the page at https://github.com/apps/scanitizer is devoid of any useful info (see screenshot below) such as faq, version, last updated, etc, and the link to the website https://github.com/github/scanitizer/ returns a 404 as I noted. Nor does a google/bing search for scanitizer return any information. In this context, it's reasonable to conclude that the project may have been abandoned.

Yet, I am being asked to install this application within my repo which wants 'Read and write access to checks, code, issues, and pull requests'. I think it's reasonable to want some more information about the application before I install it with these permissions.

scanitizer

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

raoganeshr commented 2 years ago

@koushdey Same issue here. Is scanitizer not meant to be used by folks outside Microsoft? If so, can this comment be added to container-scan readme? if not, can some documention be provided on how to use scanitizer to manage the allowlist?

image

koushdey commented 2 years ago

@raoganeshr @larryclaman I will discuss on this with the PM as to what info can we share about the scanitizer app. I agree a documentation is needed here. Will get back with an update.

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

larryclaman commented 2 years ago

Hi @koushdey any update on this?

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

larryclaman commented 2 years ago

@koushdey any update?

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.