Per Image CVE white list/process?

[doug62]

Evaluating but this is very close to the best registry I have seen.

As a user, I would like the ability to more easily mark individual CVEs as resolved so that a pull would be permitted; and/or more fine grained control of: CVE allowlist which seems to be at a project/global scope.

Add ability to review/accept individual CVEs in the image/vulnerability/scan window

Add ability for reviewed CVEs to be added in the scanner with something like a right click

Add ability/API to call web hooks to 1) Request a workflow in something like Service Now/JIRA; 2) API endpoint for external ticketing system to mark each Image/layer/CVE as resolved?

[sizowie]

+1 for this request

[hoerup]

Maybe belongs in a seperate issue, but while looking at the allowlist I would also like

• Possibility to set an individual expiration pr allowlist item
• Allowlist metadata - when was an item added - and by whom
• Allowlist comment - so the person who adds an item, can describe why it was added