Attach vulnerability information to image metadata

tazjin / nixery

Container registry which transparently builds images using the Nix package manager. Canonical repository is https://cs.tvl.fyi/depot/-/tree/tools/nixery

https://nixery.dev/

Apache License 2.0

1.8k stars 67 forks source link

Attach vulnerability information to image metadata #76

Open tazjin opened 4 years ago

tazjin commented 4 years ago

Idea from talking to colleagues: Using a dataset like broken.sh by @andir it would be interesting to attach metadata to Nixery image layers about potential known vulnerabilities in those layers.

Since each layer is a set of packages, this translates rather nicely.

Specifically I'm thinking to use the history field to add package information to the "Created by" field and extra information such as vulnerabilities to the "Comment".

malte-behrendt commented 2 years ago

I'm looking for a vulnerability scanner which is able to scan nixery/nixos images. Ideally showing results in Harbor right away.

Is anyone aware of a scanner which works with nixery images and/or how to configure such a scanner?