Adin Ermie

icon indicating a website link https://www.linkedin.com/in/adinermie/ icon indicating an email [email protected]

icon company Independent Consultant icon location Strathroy, ON, Canada icon location I am an experienced Microsoft Azure Cloud Subject Matter Expert, that brings passion and enthusiasm to everything I do.

Results 13 comments of Adin Ermie

Critical CVEs for Python-Pillow Not Detected

Thanks, @DmitriyLewen, here is the results using that command... Trivy `-f json --list-all-pkgs` command output ```CMD 2022-05-06T12:45:39.8172803Z { 2022-05-06T12:45:39.8173435Z "SchemaVersion": 2, 2022-05-06T12:45:39.8174471Z "ArtifactName": "myapp:20220506-1", 2022-05-06T12:45:39.8174881Z "ArtifactType": "container_image", 2022-05-06T12:45:39.8175173Z "Metadata": {...

Critical CVEs for Python-Pillow Not Detected

Thanks @DmitriyLewen, This was just one example (I didn't want to submit a long list all at once). Recently, our Docker containers that are built using `amazonlinux:2` are throwing many...

Critical CVEs for Python-Pillow Not Detected

Sure, sorry I missed your message @DmitriyLewen. Here's a code snippet of it: ```dockerfile FROM amazonlinux:2 RUN yum install awscli -y \ && yum install -y shadow-utils \ && yum...

Critical CVEs for Python-Pillow Not Detected

Hey @DmitriyLewen, I wanted to follow up on this issue, as I've discovered a few more important/interesting pieces of information. Firstly, there is another tool (Anchore's [Grype](https://github.com/anchore/grype)) that seems to...

Critical CVEs for Python-Pillow Not Detected

Hey @DmitriyLewen, thanks for the response. What I'm not clear on is, what is Grype scanning/checking that Trivy is not? Or, might it have to do with which advisories sources...

Critical CVEs for Python-Pillow Not Detected

Hey @DmitriyLewen, Grype actually lists which databases it uses here: https://github.com/anchore/grype#grypes-database There are 10 vulnerability data sources in total. It just feels like Grype is a more complete/robust tool based...

Generate optional SARIF output file

This is exactly what I'm looking for, and what other Terraform scanning tools (ie. TFSec, Checkov, TFLint, TerraScan, etc.) already provide. Is there any ETA when this feature might be...

Code Coverage Stats

This is exactly what I'm looking for, and what other Terraform scanning tools (ie. TFSec, Checkov, TFLint, TerraScan, etc.) already provide. Is there any ETA when this feature might be...

Update documentation how to continue on failure

I've used the following, to ensure the "Upload Anchore scan SARIF report" step will run regardless if the scan reports vulnerabilities or not. ```YAML if: ${{ success() || failure() }}...

[Documentation Update] Variable Groups Sourced from Azure Key Vault

@straubt1 can we please include some example code for the Key Vault. From the example provided, it implies that Terraform is creating the Key Vault vs linking to an existing...