wagoodman / dive

A tool for exploring each layer in a docker image
MIT License
47.4k stars 1.79k forks source link

Can we do docker layer wise scan for vulnerability detection #465

Closed suhalvemu closed 1 year ago

suhalvemu commented 1 year ago

What would you like to be added: At each layer if there any vulnerabilities present at the time of scanning we can show/display the CVE ID's for better vulnerability detection

Why is this needed: It gives the health of image and helps us with better information in vulnerability scanning. Additional context:

ecki commented 1 year ago

hm, dont think dive has a CVE scanner? Anyway, what you ask for is implemented in trivy and docker scout.

suhalvemu commented 1 year ago

Actually Trivy does not support layer wise scanning. I am not sure about docker scout. But since we are able to show what is present in layers of docker, can we integrate trivy and provide a feature for showing CVE at each layer.

ecki commented 1 year ago

Scout has layer scanning. The problem is not the layers, the problem is the scanning. You would need the logic to detect packages and even worse you needs useful CVE database. I think that is not on the scope of dive, but I could be wrong :)

suhalvemu commented 1 year ago

makes sense.