Collect data on the number of CVEs in a set of container images, including both Chainguard Images and other images.
This repository serves two purposes:
- Provides a GitHub Action that scans and attests a container image.
- Logs daily CVE information on Chainguard Images and set of other images.
Known vulnerabilities (CVEs) in 3rd party container images are an important software supply chain security problem. First, many popular container images, often pulled from Docker Hub, have hundreds of CVEs, even when a user pulls the latest version. Second, these vulnerabilities can be a source of compromise, offering attackers a way to gain access to container-based applications. Third, because many reported vulnerabilities are either false positives or otherwise do not represent an actual vulnerability, these high CVE counts are a source of wasted staff time since one or more teams must triage the sometimes high number of CVEs.
This GitHub Action scans and attests a container image.
A GitHub Action (scan.yml) operates on a daily cron job, scanning all Chainguard Images and also images listed in images.txt. This data is then stored in Google BigQuery.
GCLOUD_PROJECT=*** GCLOUD_DATASET=*** GCLOUD_TABLE=*** go run cmd/tableinit/main.go
Is the daily logged CVE data available?
Not currently. It might be in the future. If you are interested in the data, please open an issue.
What scanners does rumble currently support?
trivy and grype.
How do I learn more about Chainguard images?
You can request a demo here. You can also check out documentation on the Chainguard website or GitHub.