You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, we have the --scanners flag, which supports the following options: vuln, misconf, secret, and license. To align with this structure, I'm considering renaming the --list-all-pkgs flag to --scanners sbom.
This proposed change aims to:
Enhance the CLI's intuitiveness by grouping all scanner-related functionalities under the --scanners flag.
Provide a more consistent user experience for those familiar with the --scanners flag.
However, I have a concern: while vuln, misconf, secret, and license are directly tied to security issues, the Software Bill of Materials (SBOM) is not directly a security concern. It's more about transparency and understanding the components within a software. By grouping it under the --scanners flag, there might be a potential for confusion among users regarding its purpose.
I'd appreciate feedback from the community on this proposal.
The text was updated successfully, but these errors were encountered:
knqyf263
changed the title
Rename --list-all-pkgs flag to --scanners sbom
Rename --list-all-pkgs to --scanners sbomSep 14, 2023
some additional consideration: if someone wants to create an [output plugins](https://aquasecurity.github.io/trivy/v0.50/docs/configuration/reporting/#plugin that operates on an SBOM, they can't as of today since the --output flag is used both to control SBOM, and to control the output plugin.
The design of output plugin assumes the plugin input is always a native trivy json, and the plugin should convert to whatever it needs, which is fine, but there's no way for the user to specify that they want to create an SBOM (if they used the output plugin=) option.
in this case, I would expect the sbom output plugin to generate a trivy sbom json. and the plugin to be able to use a trivy library to convert it to the desired SBOM format and process it.
Description
Currently, we have the
--scanners
flag, which supports the following options: vuln, misconf, secret, and license. To align with this structure, I'm considering renaming the--list-all-pkgs
flag to--scanners sbom
.This proposed change aims to:
However, I have a concern: while vuln, misconf, secret, and license are directly tied to security issues, the Software Bill of Materials (SBOM) is not directly a security concern. It's more about transparency and understanding the components within a software. By grouping it under the --scanners flag, there might be a potential for confusion among users regarding its purpose.
I'd appreciate feedback from the community on this proposal.
The text was updated successfully, but these errors were encountered: