-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use trivy rootfs scan for both local and remote #168
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Manifest Filesgo.mod
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #168 +/- ##
==========================================
+ Coverage 63.66% 63.78% +0.12%
==========================================
Files 23 26 +3
Lines 1387 1541 +154
==========================================
+ Hits 883 983 +100
- Misses 316 356 +40
- Partials 188 202 +14 ☔ View full report in Codecov by Sentry. |
This reverts commit 4ec89bb.
…ctx, so it will work for that case. any case calling this manually will want that context used, as the other could be nil
This reverts commit d9a79fa.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
This adds support for both the local package and remote registry scanner to use
trivy rootfs
to scan the entire filesystem of a container.The local version will extract a zarf package and use the images/index.json file to find the available containers, extract each layer into a directory, and then perform
trivy rootfs
The remote version will write the remote image to a local directory using
github.com/google/go-containerregistry/pkg/v1/layout
, and then modify it to behave exactly the same as the local package so we can use the same process for scanning the remote images.We also now only scan for 1 platform:
amd64
. Previously the results ofamd64
andarm64
were concatenated together, giving double results in most cases.This resolves the following issues:
There is an adr attached for more implementation details.