Add command to scan apk files for vulnerabilities #290
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This builds Grype-based vulnerability scanning directly into
wolfictl
, enabling the new command:This is a more accurate means of scanning than the scanning script included in Wolfi, and enables a tight feedback loop for developers working on patching CVEs or adding new packages to the distro.
This implementation also paves the way for more productivity and advisory features, as scan data can be incorporated into advisory discovery and triage workflows.
This is definitely just an initial implementation, and I'm looking forward to usability feedback and suggestions to make it easier to manage CVEs in the distro! 😃
Update (2023-07-13):
Preview: