heubeck
commented
1 year ago https://github.com/anchore/grype looks promising
Closed heubeck closed 1 year ago
heubeck
commented
1 year ago https://github.com/anchore/grype looks promising
it would be really awesome to have known vulnerabilities of components in the created sbom commented to a pull-reqest.
analysis trigger could be
on pull-request, but we need a possibility to analyze the sbom without long-running dependeny-track roundtrip. there're for sure tools out there, that can lookup sbom components in vulnerability databases, a estimated guess would be sufficient for pull-requests :thinking: .