You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now in my workflow I need to scan the newly created image with something like grype, then upload the SARIF to GitHub to see Code Scanning alerts.
I'd like to be able to at least skip a step and give grype the SBOM created by this action as an input. I think the SBOM might even be more accurate compared to the scan that grype performs since the SBOM is created at build time and might have more data if for example BUILDKIT_SBOM_SCAN_STAGE was used (I haven't confirmed this).
This is somewhat related to #861 I think, but submitting the SBOM to GitHub doesn't do any scanning for vulnerabilities as far as I can tell.
It's probably out of scope for this action to generate a SARIF that can be uploaded to GitHub (or even automatically pushed), but just throwing the idea out there 🙂
The text was updated successfully, but these errors were encountered:
Right now in my workflow I need to scan the newly created image with something like
grype
, then upload the SARIF to GitHub to see Code Scanning alerts.I'd like to be able to at least skip a step and give
grype
the SBOM created by this action as an input. I think the SBOM might even be more accurate compared to the scan thatgrype
performs since the SBOM is created at build time and might have more data if for exampleBUILDKIT_SBOM_SCAN_STAGE
was used (I haven't confirmed this).This is somewhat related to #861 I think, but submitting the SBOM to GitHub doesn't do any scanning for vulnerabilities as far as I can tell.
It's probably out of scope for this action to generate a SARIF that can be uploaded to GitHub (or even automatically pushed), but just throwing the idea out there 🙂
The text was updated successfully, but these errors were encountered: