Include image details in JSON output of trivy k8s commands

[matheusfm]

Description

Hi all,

I would like to suggest that Trivy include image details in JSON output of trivy k8s --scanners vuln ... commands

Currently, the JSON output lacks information about which image the vulnerabilities are associated with.
Here's an example of the current output:

{
  "ClusterName": "kind-kind",
  "Findings": [
    {
      "Namespace": "kube-system",
      "Kind": "Deployment",
      "Name": "coredns",
      "Results": [
        {
          "Target": "coredns",
          "Class": "lang-pkgs",
          "Type": "gobinary",
          "Vulnerabilities": [] //omitted
        }
      ]
    }
  ]
}

Steps to reproduce with Kind:

kind create cluster
trivy k8s --scanners vuln -f json deploy coredns -n kube-system

It would be very useful to have fields like RepoTags and RepoDigests in the JSON output, similar to the information provided in the Metadata field of the trivy image command:

trivy image registry.k8s.io/coredns/coredns:v1.9.3 -f json --scanners vuln

{
  "SchemaVersion": 2,
  "ArtifactName": "registry.k8s.io/coredns/coredns:v1.9.3",
  "ArtifactType": "container_image",
  "Metadata": {
    "ImageID": "sha256:5185b96f0becf59032b8e3646e99f84d9655dff3ac9e2605e0dc77f9c441ae4a",
    "DiffIDs": [], //omitted
    "RepoTags": [
      "registry.k8s.io/coredns/coredns:v1.9.3"
    ],
    "RepoDigests": [
      "registry.k8s.io/coredns/coredns@sha256:8e352a029d304ca7431c6507b56800636c321cb52289686a581ab70aaa8a2e2a"
    ],
    "ImageConfig": {} //omitted
  },
  "Results": [
    {
      "Target": "coredns",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [] //omitted
    }
  ]
}

Target

Kubernetes

Scanner

Vulnerability

[matheusfm]

Hi @chen-keinan @knqyf263

Does it make sense?

[chen-keinan]

@matheusfm yes , this requirement do make sense , I'll convert this discussion to issue for investigation and implementation

[chen-keinan]

issue #5251 has been opened