Right now in my workflow I need to scan the newly created image with something like grype, then upload the SARIF to GitHub to see Code Scanning alerts.
I'd like to be able to at least skip a step and give grype the SBOM created by this action as an input. I think the SBOM might even be more accurate compared to the scan that grype performs since the SBOM is created at build time and might have more data if for example BUILDKIT_SBOM_SCAN_STAGE was used (I haven't confirmed this).
It's probably out of scope for this action to generate a SARIF that can be uploaded to GitHub (or even automatically pushed), but just throwing the idea out there 🙂
Right now in my workflow I need to scan the newly created image with something like
grype, then upload the SARIF to GitHub to see Code Scanning alerts.I'd like to be able to at least skip a step and give
grypethe SBOM created by this action as an input. I think the SBOM might even be more accurate compared to the scan thatgrypeperforms since the SBOM is created at build time and might have more data if for exampleBUILDKIT_SBOM_SCAN_STAGEwas used (I haven't confirmed this).This is somewhat related to https://github.com/docker/build-push-action/issues/861 I think, but submitting the SBOM to GitHub doesn't do any scanning for vulnerabilities as far as I can tell.
It's probably out of scope for this action to generate a SARIF that can be uploaded to GitHub (or even automatically pushed), but just throwing the idea out there 🙂