trivy
trivy copied to clipboard
Specify on SARIF report which Dockerfile/image is being scanned
I want to implement Trivy Github Action on a repo that contains multiple variants of a container image. The idea is that I am running a workflow for each version, like:
- Workflow 1 will build image
myimage:variantX
and scan it - Workflow 2 will build image
myimage:variantY
and scan it
The problem I'm having currently and I don't know if a solution is already available is that on the Security > Code Scanning Alerts > Trivy section at the repo, I can see the issues are referring to a Dockerfile, which is okay.
But in the case we are doing a scan for each image variant, I want to see to which image/Dockerfile specifically is the alert referring to.
I see the sarif template at contrib/sarif.tpl
has the following section:
...
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile"
},
...
Which I would believe it is where it specifies the name.
Is that factible to be done?