Pass Trivy's SBOM's filepath field into Container Scanning report for pipeline security tab

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Problem to solve

Since Generate SBOM in Container Scanning for Trivy-b... (#396381 - closed) we support SBOM generation during Container Scanning. However, the exact source module that introduced a Trivy finding is not shown.

Proposal

The SBOM report contains the source filepath. Can we pass it into the same Location > File: field as we do for Dependency Scanning?

Example: https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/pipelines/1146071648/security?reportType=CONTAINER_SCANNING,DEPENDENCY_SCANNING

Intended users

• Amy (Application Security Engineer)
• Alex (Security Operations Engineer)
• Cameron (Compliance Manager)

Feature Usage Metrics

Does this feature require an audit event?

No, due to being just an improved UI.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.