Scan the built image for vulnerabilities and build the SBOM

scan the vulnerabilities and build the SBOM (with Trivy) when building the image. The scan report can be stored as job's artifact. Ideally the scan is done periodically.

The following tools are worth to consider:

Trivy scanning a file systsem: https://aquasecurity.github.io/trivy/v0.17.2/scanning/filesystem/

additionnaly:

nuclei: https://github.com/projectdiscovery/nuclei
linpeas: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
pspy: https://github.com/DominicBreuker/pspy

cc @cristian.manda @bogdan.nicolae, @alain.thioliere

Edited Dec 21, 2023 by Pierrick Seite