Replies: 1 comment 2 replies
-
|
trivy today can scan a filesystem directory and also some compiled binaries. can you elaborate more on your use case? |
Beta Was this translation helpful? Give feedback.
-
|
Could you point me to the documentation that covers what you are referring to here? For my use case, I am running into customers that feel that scanning packages installed through To try to ground things a bit, if I compile c code with no external dependencies and install the resulting binary under Additionally, if you think this line of thinking is a bit of red herring, I'm very open to that feedback. Defining the right "coverage" for an SBOM is a continual discussion that we are having with our partners and our customers. |
Beta Was this translation helpful? Give feedback.
-
https://aquasecurity.github.io/trivy/v0.52/docs/supply-chain/attestation/rekor/#non-packaged-binaries
In this case it's your responsibility to create an SBOM for your software. even if trivy detected this file, it cannot analyze it. |
Beta Was this translation helpful? Give feedback.
-
Description
From your documentation, trivy currently supports pulling vulnerability information for repo official OS packages, languages specific packages such as npm packages for javascript, and k8s component vulnerabilities.
Of course, there are many different things trivy could scan for that are outside the scope of these three data sources. Do you see Trivy expanding support for vulnerability scanning targets, or expanding the scope of vulnerability scanning tasks? For example, it may be of interest to some users to find arbitrary binaries that seem "out of place" when scanning filesystems. Is that sort of file system inspection something that the trivy team would entertain?
Target
Filesystem
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions