Replies: 1 comment
-
Hello @Mar0dev You use But in your case, Trivy takes other files to detect licenses
Small example for you: FROM node
RUN apt-get update && apt-get -y install python3-pip
RUN pip3 install awscli --break-system-packages
COPY ./package-lock.json /app/package-lock.json
RUN cd /app && npm init -y && npm ci Check Trivy output in ➜ trivy -d image --scanners license -f json 6684
...
{
"Target": "Python",
"Class": "license",
"Licenses": [
{
"Severity": "LOW",
"Category": "notice",
"PkgName": "colorama",
"FilePath": "usr/local/lib/python3.11/dist-packages/colorama-0.4.6.dist-info/METADATA",
"Name": "BSD-3-Clause",
"Confidence": 1,
"Link": ""
},
...
"Target": "Node.js",
"Class": "license",
"Licenses": [
{
"Severity": "LOW",
"Category": "notice",
"PkgName": "corepack",
"FilePath": "usr/local/lib/node_modules/corepack/package.json",
"Name": "MIT",
"Confidence": 1,
"Link": ""
},
... Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Question
Hello team,
My current configuration consists of frotend (JS) and backend (Python) applications. Code is hosted in self-managed GitLab. In pipelines I build docker images which are then hosted in Google Artifact Registry. The goal is to scan licenses of the installed packages.
To perform scans I have a third image that performs security scans and has Trivy installed in it. It has access to Google AR.
I have reviewed the documentation, but still cant decide on best approach. For backend - Python, I use "pip install" from requirements.txt file. To my surprise when I scan the image with python packages installed this way I can see licenses under "Python (license)" properly.
For frontend images I use "RUN npm ci --cache .npm --prefer-offline" which installs from package-lock.json.
Based on the documentation, the image scan that I perform: "trivy image --scanners license gar-container" should not list licenses of both npm and pip installed packages those ways. For the backend image licenses are listed properly but for the frontend they are not.
What would be the best approach to scan licenses in my configuration?
Target
Container Image
Scanner
License
Output Format
Table
Mode
Standalone
Operating System
Unix
Version
Beta Was this translation helpful? Give feedback.
All reactions