Changing manifest `source_location` when sending SBOM of an image to Github Dependency

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities

Apache License 2.0

789 stars 227 forks source link

Changing manifest `source_location` when sending SBOM of an image to Github Dependency #300

Closed Maxim-Durand closed 7 months ago

Maxim-Durand commented 8 months ago

Fixes https://github.com/aquasecurity/trivy-action/issues/286

Improves the feature to send scan results to Github by making sure in case we're scanning an image that the manifest shown in Github Dependency will show the image name and its tag.

Before this PR change, here's how the vulnerability would look in Github Dependency:

Screenshot_20240120_174723

After this PR change, here's how it looks: Screenshot_20240120_174554

As you can see the image repo (I redacted this field as it's a private repo), name and tag are now shown instead of the default Python.

Here's how it looks in the manifest search:

Screenshot_20240120_174246

simar7 commented 8 months ago

@DmitriyLewen could you take a look?

DmitriyLewen commented 8 months ago

Hello @Maxim-Durand

What do you think about adding these changes to Trivy? I think it will be better this way because users who don't use trivy-action will be able to get these changes. e.g. we can use ArtifactName here - https://github.com/aquasecurity/trivy/blob/fb36c4ed09efc3fc241d02713c4cc864b6c6a2c8/pkg/report/github/github.go#L107-L111

But I'm still not sure if I should use image name. Docs says :The path of the manifest file relative to the root of the Git repository.: Perhaps we need to use filepath from image.

Maxim-Durand commented 8 months ago

What do you think about adding these changes to Trivy? I think it will be better this way because users who don't use trivy-action will be able to get these changes.

You're totally right, I didn't know trivy supported reports to github. I created the following PR in trivy https://github.com/aquasecurity/trivy/pull/5999, and will update this one if needed later on.

Perhaps we need to use filepath from image.

If you're scanning the image Dockerfile then yes but in the case you're scanning a remote image you won't have a filepath available.

RichardoC commented 8 months ago

This would be very handy, I'm currently finding it difficult to tell whether it's the nightly build, or a release build that I scan nightly that has vulnerabilities because they show up the same way in the github security tab (via the sarif upload)

DmitriyLewen commented 8 months ago

Hello @RichardoC We are discussing adding these changes to the Trivy template. - https://github.com/aquasecurity/trivy/pull/5999#discussion_r1469441742 It will be great if you share your opinion on the changes being discussed based on your experience.