anchore / grant

Search an SBOM for licenses and the packages they belong to
Apache License 2.0
68 stars 7 forks source link

feature: license detection by layer #43

Open spiffcs opened 8 months ago

spiffcs commented 8 months ago

Grant consumes syft as it's default SBOM generator when users don't bring their own bill of material.

Syft has an open issue which would enhance the scoping selections https://github.com/anchore/syft/issues/15. Completing this issue would allow grant to then provide users the option to do analysis for different layers of an image.

This is useful for when users want to do analysis on the software they're adding while excluding packages from the base layer. If an organization or user has already done analysis against the base image than they might only be concerned with a cross section of the container for license compliance.