anchore / grant

Search an SBOM for licenses and the packages they belong to
Apache License 2.0
68 stars 7 forks source link

feat: grant should have a `policy` command that aids users in constructing a baseline policy for their images or software #46

Open spiffcs opened 8 months ago

spiffcs commented 8 months ago

Some examples of this would be to generate a policy of exclusions from an image that is already known as compliant.

Example:

grant policy --exclude image:base:latest

^ This would generate a policy that has exceptions for the packages and their license associations in the base image.

When a user goes to use grant against a production image built with the above they will know they are only keying on licenses introduced during a build process. The grant policy would exclude licenses/packages from the base image