Replies: 3 comments
-
@bmnielsen sorry for missing your issue. could you confirm that the problem is actual yet? thanks |
Beta Was this translation helpful? Give feedback.
-
I am using the workaround mentioned at the end of my post (building a separate image for Trivy that always has the same image name). But I think it would be a good idea for Trivy to explicitly set the fingerprint to allow scanning of the deployed container image. |
Beta Was this translation helpful? Give feedback.
-
@afdesk Is this something that can be investigated? Do you need any more information on this feature request? |
Beta Was this translation helpful? Give feedback.
-
I use Trivy in a GitHub Actions workflow, where the steps are roughly:
The problem I am seeing is that if the container image name changes between workflow runs (which normally happens when a new version of the code is being built), GitHub's alert deduplication no longer works, so alerts I have previously dismissed will get created again in the open state.
I would therefore like to suggest that Trivy add fingerprints to SARIF output so that GitHub (and others) can use this for alert deduplication. GitHub's alert deduplication is described here: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#preventing-duplicate-alerts-using-fingerprints
I assume that GitHub's fallback deduplication logic uses some combination of artifact location (which is the container name for Trivy) and rule ID, so I've been able to work around this problem for now by setting up a separate code scanning workflow that uses a fixed container image name.
Beta Was this translation helpful? Give feedback.
All reactions