MPV
commented
11 months ago ...or is this already supported now, as per below?
Closed MPV closed 9 months ago
MPV
commented
11 months ago ...or is this already supported now, as per below?
chen-keinan
commented
11 months ago @MPV is it supported with trivy cli ?
MPV
commented
11 months ago @MPV is it supported with trivy cli ?
Yes, though it seems it's an opt-in for some reason, using: trivy image --sbom-sources oci
chen-keinan
commented
11 months ago @MPV is it supported with trivy cli ?
Yes, though it seems it's an opt-in for some reason, using:
trivy image --sbom-sources oci@MPV how would you suggest fortrivy-operatorto detect the oci-referrers ?
MPV
commented
11 months ago @MPV how would you suggest for
trivy-operatorto detect the oci-referrers ?
I'm not sure how you mean (excuse my missing knowledge of internals in trivy-operator).
I assume you don't mean something as simple as:
"just deciding when to run trivy with the --sbom-sources oci flag" (if not always)?
chen-keinan
commented
11 months ago @MPV how would you suggest for
trivy-operatorto detect the oci-referrers ?I'm not sure how you mean (excuse my missing knowledge of internals in trivy-operator).
I assume you don't mean something as simple as:
"just deciding when to run trivy with the
--sbom-sources ociflag" (if not always)?
I'll explain how the operator reconciles workload events (such as Deployment, Pod, ReplicaSet, etc.). When you deploy, update, or delete a workload, the operator receives an event with the resource manifest.
Subsequently, the trivy-operator retrieves the image reference (registry/repository:tag) from the reconciled resource and initiates a scan using Trivy (a scan job operates behind the scenes):
trivy image registry/repository:tagTo scan the oci-referrers, the operator needs to obtain the sbom-ref from a specific source.
MPV
commented
11 months ago Oh, I thought that was already supported as per my previous comment above (but I may be misreading the implementation)?
...or is this already supported now, as per below?
chen-keinan
commented
11 months ago Oh, I thought that was already supported as per my previous comment above (but I may be misreading the implementation)?
...or is this already supported now, as per below?
trivy-operator is cluster scope only and k8s native meaning it automatically should detect resources (images) for scanning , you suggest it for sbom-referrers scanning which is I think more sutibale for cli (trivy) , I'm open for ideas if one can be archived
kfox1111
commented
11 months ago Some containers (ex: chainguard) are providing sboms along with the container images and can be pulled from the same container registry. Scanning the sbom rather then the full container can speed up the processing quite a bit.
chen-keinan
commented
11 months ago Some containers (ex: chainguard) are providing sboms along with the container images and can be pulled from the same container registry. Scanning the sbom rather then the full container can speed up the processing quite a bit.
@kfox1111 make sense therefore I have added sbom caching however its not a standard yet trivy-operator need to know if image on registry has sbom in addition to image (otherwise can result will fail) , maybe add a label or else to workload , wdyt ?
MPV
commented
11 months ago Some containers (ex: chainguard) are providing sboms along with the container images and can be pulled from the same container registry.
Thanks for clarifying, this was my thought also.
Scanning the sbom rather then the full container can speed up the processing quite a bit.
And it also allows one to use different tools for building the SBOM (i.e. not requiring Trivy), as it's still a standard in motion and some SBOM creators may still lack some data.
For example Syft is currently better at detecting licensing than Trivy, i.e:
Following up on the discussion in:
What would be needed to support reporting from SBOMs attached to OCI images?
Thinking of for example this kind of attached SBOMs:
A benefit to this could be that an SBOM created from an earlier (build) step could be fetched and used (as it might contain more data with better accuracy).