local-container-scan's Introduction
local-container-scan's People
local-container-scan's Issues
Check run name
Parse logs
Whitelisted vulnerabilities for CIS checks are shown on check run page
Dockle shows all the vulnerabilities in the output logs, even the ones which are whitelisted (The whitelisted vulnerabilities are marked with level "IGNORE"). However, in the code we are simply parsing through all the vulnerabilities without checking the level, and that's why we see the whitelisted vulnerabilities in the check-run description page.
Whitelist file path and naming.
It seems that other tools are keeping their configs in root folder under .<toolname>
directory.
eg. .circleci
, .vscode
, .dependabot
.
- We should stick to this convention, i.e.
.containerscan
in root directory should contain the whitelist file. - That said, should we think of a better name or
container scan
is good to go?
@pingvishal-msft @ammohant - thoughts?
Check run improvements.
- Make text in the check run more meaningful. Refer to the comments in pull request #6
- Review the texts used
- Should we display the detailed error in case of failure while scanning, or its right place is only in logs?
Lacking consistency in details page
Make Scan calls Silent
In Trivy output, there are duplicate CVE's.
Add README.md
Add a README file for explaining the usage and assumptions
SPIKE: Test the hard limits of check run details
Items for next iteration
-
Currently, the whitelist file is expected at a particular path in the repo with name as
whitelist.yaml
. This means if the user giveswhitelist.yml
as the name of the file, it would be ignored. -
The action puts the .dockleignore file at the root of the repo. Try to put it in container scan folder and give cwd as an option in ToolRunner.
-
Output is not set currently.
Fix the empty section in details
Displaying Licenses in logs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.