... | ... | @@ -71,7 +71,7 @@ There needs to be a process/tool that the security team can |
|
|
|
|
|
* Pipelines as Product - when we can ship pre-built pipelines that work out of the box, a stage that generates these for new containers and uploads these for IronBank/external images would need to be part of the product.
|
|
|
* CLI tools - Given a product we choose for the System Vulnerability Review, a CLI tool to properly consume scan results from Anchore/Twistlock/Etc and upload to the chosen tool, and then attach the VEX to the associated vulnerability for each tool would be important for workflows.
|
|
|
|
|
|
* VEX Spec: https://cyclonedx.org/docs/1.4/json/
|
|
|
|
|
|
### Toosl that may work
|
|
|
|
... | ... | |