Skip to content

mluker/secure-supply-chain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.devcontainer
.devcontainer
 
 
emptyfolder
emptyfolder
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
generate-all.sh
generate-all.sh
 
 

Repository files navigation

SBOM & Vulnerability scanning

Use the provided devcontainer to start working with SBOMs and Vulnerability scanners.

Environment variables

Set the following environment variables for use within each tool

# The image to work with
IMAGE=nginx

# The root folder for the results output
RESULTS_FOLDER=results

SBOM tooling

Syft

syft $IMAGE -o spdx-json --file "${RESULTS_FOLDER}"/"$(echo syft_${IMAGE}.json | sed 's/://g;s/\///g;s/@//g')"

Microsoft sbom-tool

export DeleteManifestDirIfPresent=true

sbom-tool generate -di $IMAGE \
    -b $RESULTS_FOLDER \
    -bc . \
    -pn package-name \
    -ps package-supplier \
    -nsb https://example.com \
    -pv 1

Vulnerability scanning

Grype

grype $IMAGE -o sarif --file "${RESULTS_FOLDER}"/"$(echo grype_${IMAGE}.json | sed 's/://g;s/\///g;s/@//g')"

Trivy

trivy image $IMAGE -f sarif -o "${RESULTS_FOLDER}"/"$(echo trivy_${IMAGE}.json | sed 's/://g;s/\///g;s/@//g')"

Bulk command

./generate-all.sh "nginx,busybox" true true true true results

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages