[QUESTION] Does this support prisma cloud

[smartaquarius10]

What is your question?

Can we integrate this with twistcli. Many organisations use prisma cloud.

Any updates on this?

[sozercan]

@smartaquarius10 Yes, you can extend copa to support any scanner via plugins https://project-copacetic.github.io/copacetic/website/scanner-plugins Please note that copa itself doesn't provide any built-in support for prisma. If you add a plugin to support prisma, we would love to feature in our docs.

In addition to this ,we are working on updating packages without scanners reports in #548

Closing this, please feel free to re-open if you have further questions.

[smartaquarius10]

@sozercan Sure.. Will try working on it.. Will reach out to you if any help needed. Thanks.

[smartaquarius10]

@sozercan

The Twistlock CLI is exclusively available for download from the Prisma Cloud Management Portal, which is only accessible to users with a valid license. It’s possible to write a go plugin to integrate it with Copacetic, however, I'm uncertain if that's permissible.

The crux of the issue is that the JSON report, which code processes, originates from a CLI tool which is downloaded from a licensed portal complicates matters.

I'm unsure where to find guidance on this.

Any suggestion. Or, do you have any prisma community portal details where such questions can be asked?

[sozercan]

Unfortunately, I don't have access to any paid/enterprise scanning solutions, and I can't comment on the licences for those.

In the next release, copa will be able to patch without scanner reports, that might make things easier for you. If you are interested in trying this out and can build from source, we have it merged to main branch for patching non-distroless images now. https://project-copacetic.github.io/copacetic/website/installation#development-setup

[smartaquarius10]

@sozercan oh that’s great. Will try that one. But still, there must be some medium through which tool gets list of vulnerabilities internally. Are we only dependent on trivy then? Or, you are writing some custom code in copacetic to get list of vulnerabilities.

[sozercan]

@tanulbh no list of vulnerabilities needed, copa will upgrade all packages if no report and scanner is specified. since all packages is a superset of vuln packages, vulns should also be resolved.

if you want to constraint to vuln packages only, then you can use scanner reports, which is the behavior today. This will continue to be supported.

[smartaquarius10]

@sozercan oh got it. Thank you so much.

A quick question. How/where to start to be a contributor in copacetic project. I am really interested to be part of this awesome initiative.

[smartaquarius10]

@sozercan could you please guide me a little on this

[sozercan]

@tanulbh we would love you contributing! we have contributing guide here https://project-copacetic.github.io/copacetic/website/contributing doc has the community slack documented if you have any questions

[smartaquarius10]

@sozercan Thanks for sharing. Will check that.