Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export SBOM locally #889

Open
lucacome opened this issue Jun 29, 2023 · 0 comments
Open

Export SBOM locally #889

lucacome opened this issue Jun 29, 2023 · 0 comments
Labels
kind/enhancement New feature or request kind/upstream Changes need to be made on upstream project

Comments

@lucacome
Copy link

Right now in my workflow I need to scan the newly created image with something like grype, then upload the SARIF to GitHub to see Code Scanning alerts.

I'd like to be able to at least skip a step and give grype the SBOM created by this action as an input. I think the SBOM might even be more accurate compared to the scan that grype performs since the SBOM is created at build time and might have more data if for example BUILDKIT_SBOM_SCAN_STAGE was used (I haven't confirmed this).

This is somewhat related to #861 I think, but submitting the SBOM to GitHub doesn't do any scanning for vulnerabilities as far as I can tell.

It's probably out of scope for this action to generate a SARIF that can be uploaded to GitHub (or even automatically pushed), but just throwing the idea out there 🙂
@rjaegers rjaegers mentioned this issue Nov 10, 2023
Closed
@crazy-max crazy-max added kind/enhancement New feature or request kind/upstream Changes need to be made on upstream project labels Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request kind/upstream Changes need to be made on upstream project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lucacome @crazy-max