github
reporting not showing correct manifest when scanning a private image
#5998
Closed
Maxim-Durand
started this conversation in
Bugs
Replies: 2 comments
-
It's only a draft for now but a proposed solution is #5999 |
Beta Was this translation helpful? Give feedback.
0 replies
-
Created #6008 for this task. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
Note
This is a duplicate of aquasecurity/trivy-action#286 (comment) as it was recommended to be moved here.
Description of the issue
Using the feature of GitHub dependency snapshot works very well except it doesn't send the manifest details in case you're scanning a remote image.
Meaning if you scan an image like so:
Then when you upload to Github Dependency the created reported you'll see the following:
It shows the vulnerabilities but without any specific manifest.
Using the example above it could specify the docker image scanned (i.e
fake_private_image:latest
in this example).Proposed solution
When the user specifies
format==github
andscan-type==image
, trivy should replace thesource_location
field in the manifest definition in the SBOM file by the docker image value instead.See this PR aquasecurity/trivy-action#300 for a dirty bash fix (I will create a PR to do the same but for the main trivy repo this time in Go).
Desired Behavior
I redacted the image registry but I would expect the manifest section in Github Dependency to point to the image where the vulnerability was found.
In the report it would have to look like
Actual Behavior
As you can see instead of specifying the image scanned, it only show
Python
.In the report this is due to
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Output Format
None
Mode
Standalone
Debug Output
Operating System
Kubuntu 22.04
Version
Beta Was this translation helpful? Give feedback.
All reactions