trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Specify on SARIF report which Dockerfile/image is being scanned

Open WolfangAukang opened this issue 3 years ago • 5 comments

I want to implement Trivy Github Action on a repo that contains multiple variants of a container image. The idea is that I am running a workflow for each version, like:

  • Workflow 1 will build image myimage:variantX and scan it
  • Workflow 2 will build image myimage:variantY and scan it

The problem I'm having currently and I don't know if a solution is already available is that on the Security > Code Scanning Alerts > Trivy section at the repo, I can see the issues are referring to a Dockerfile, which is okay.

Screenshot from 2020-10-21 11-26-58

But in the case we are doing a scan for each image variant, I want to see to which image/Dockerfile specifically is the alert referring to.

I see the sarif template at contrib/sarif.tpl has the following section:

...
 "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "Dockerfile"
              },
...

Which I would believe it is where it specifies the name.

Is that factible to be done?

WolfangAukang avatar Oct 21 '20 18:10 WolfangAukang