You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I’d like to be able to point Syft towards a file/folder of Kubernetes manifests and get results of CVEs etc for that/those images referred to in those manifests.
Why is this needed:
To make use of Syft for things I’m not building myself but still using. Also not running the scan at runtime but shifting left so I can see CVE differences etc in my PRs, Dependabot Alerts etc.
Additional context:
The text was updated successfully, but these errors were encountered:
Hi @MPV, thanks for the suggestion. Usually Syft only scans one image at a time and produces an SBOM for a particular image, as opposed to a set of images. Would it work for your use case if there was a higher-level script that extracted a list of images referred to in a Kubernetes manifest and then looped over each one with Syft to create a set of SBOMs?
Hi @MPV, thanks for the suggestion. Usually Syft only scans one image at a time and produces an SBOM for a particular image, as opposed to a set of images. Would it work for your use case if there was a higher-level script that extracted a list of images referred to in a Kubernetes manifest and then looped over each one with Syft to create a set of SBOMs?
@tgerla Yeah that also makes sense. I guess either solution also needs to be good (enough) at finding the image(s) from manifest(s).
Maybe there's something that's already good at that (and thus can just be combined with this), any ideas...? 🤔
I've only tested this on one single manifest (below the script in the gist) and I'm not really familiar with the manifest format, but this might be a good start! There might be a more "kubernetes-style" way to do this. Hope it is useful!
What would you like to be added:
I’d like to be able to point Syft towards a file/folder of Kubernetes manifests and get results of CVEs etc for that/those images referred to in those manifests.
Why is this needed:
To make use of Syft for things I’m not building myself but still using. Also not running the scan at runtime but shifting left so I can see CVE differences etc in my PRs, Dependabot Alerts etc.
Additional context:
The text was updated successfully, but these errors were encountered: