Dan Luhring

Just catching up — if we're going with option 2 from the [comment](https://github.com/anchore/syft/issues/592#issuecomment-1006821718) above, does that mean there's no work in Syft code for this any more, and it's just...

Perfect, thanks @samj1912!

Hi @sophiewigmore 👋 Great question. We're talking about this right now, actually. Our intent is to provide a well-documented, stable library API. We're not quite there yet. We'll use this...

@lucapisciotta This is a great point! We should do that. I could see this being available as an input to the action (under the `with` block). We also have a...

Thanks @alfredodeza! @kzantow can you look into this when you get a chance?

Thanks for the comments! I'll try to keep my thoughts organized by topic... ## Including an `invocation` section (question 1) >I'm saying here: "This vuln spec generated in GitHub Action...

>it still incurs maintenance cost for cosign CLI and SDK maintainers who shouldn't care about K8s' own large dependency graph, security alerts, dependabots, etc. 💯 We're working on integrating some...

>>Today, if I want to do anything with container images, my go.mod picks up deps to serve all of the above. > >I don't think this part is necessarily true,...

Thanks @cpanato for finding those! 🙏 I also found a handful of other spots we're using the `sget` command, and I removed them. Let me know if this was too...

> I'd honestly still rather wait here until we have a plan. I don't think it's going to take forever to get something drafted, but doing it in a rush...