scout-cli icon indicating copy to clipboard operation
scout-cli copied to clipboard

Published 20 hours ago verified publisher icon docker

[FEATURE] add `json` format to cves command

Open anubhav06 opened this issue 6 months ago • 0 comments
trafficstars

Currently, there is no machine-readable output format for the cves command that supports listing both the architecture of the image and the fixed_in version of the vulnerability.

While this information is available separately in different formats—for example, architecture is included in the sbom format and fixed_in is available in the sarif format—there is no single format that provides both.

I propose adding a new json output format that includes both fields. This is not a new requirement; tools like Grype and Trivy already support formats that include this information. Even Docker Scout has a packages format that provides these details, although it is in a pretty-printed format and not machine-readable.

Implementing this should not be difficult, as the information is already available internally.

The following are the basic requirements that are expected in a single format:

  • vuln_package
    • name
    • installedVersion
    • fixedVersion
    • vulnerabilityID
  • image:
    • os_type
    • os_version
    • os_arch

anubhav06 avatar May 24 '25 16:05 anubhav06