|
|
|
|
|
|
by robinhoodexe
1258 days ago
|
|
|
I’m also interested in peoples opinion on this. We’re using Trivy but have also been evaluating Snyk and Grype. All these can do container image scan, but these are, in my opinion, nearly useless, as the vulnerability exists in the base image I don’t control. Apart from using a newer base image (maybe based on a newer version of Ubuntu/Debian/Alpine) there’s little to do. Scanning for language-specific vulnerabilities in third party packages is useful, as that’s something we can control and the fix is usually to update some python or node package (but this is also something dependabot can also help with, albeit in a different manner). |
|
|