Closed Maxim-Durand closed 7 months ago
@DmitriyLewen could you take a look?
Hello @Maxim-Durand
What do you think about adding these changes to Trivy?
I think it will be better this way because users who don't use trivy-action will be able to get these changes.
e.g. we can use ArtifactName
here - https://github.com/aquasecurity/trivy/blob/fb36c4ed09efc3fc241d02713c4cc864b6c6a2c8/pkg/report/github/github.go#L107-L111
But I'm still not sure if I should use image name.
Docs says :The path of the manifest file relative to the root of the Git repository.
:
Perhaps we need to use filepath from image.
What do you think about adding these changes to Trivy? I think it will be better this way because users who don't use trivy-action will be able to get these changes.
You're totally right, I didn't know trivy supported reports to github. I created the following PR in trivy https://github.com/aquasecurity/trivy/pull/5999, and will update this one if needed later on.
Perhaps we need to use filepath from image.
If you're scanning the image Dockerfile then yes but in the case you're scanning a remote image you won't have a filepath available.
This would be very handy, I'm currently finding it difficult to tell whether it's the nightly build, or a release build that I scan nightly that has vulnerabilities because they show up the same way in the github security tab (via the sarif upload)
Hello @RichardoC We are discussing adding these changes to the Trivy template. - https://github.com/aquasecurity/trivy/pull/5999#discussion_r1469441742 It will be great if you share your opinion on the changes being discussed based on your experience.
Fixes https://github.com/aquasecurity/trivy-action/issues/286
Improves the feature to send scan results to Github by making sure in case we're scanning an image that the manifest shown in Github Dependency will show the image name and its tag.
Before this PR change, here's how the vulnerability would look in Github Dependency:
After this PR change, here's how it looks:
As you can see the image repo (I redacted this field as it's a private repo), name and tag are now shown instead of the default
Python
.Here's how it looks in the manifest search: