11:20 p.m.
Robert,
Scanners like Clair are open source, but use data from the Linux
distros. To be honest, there's really nothing that great for content
layered on top of a Linux distro (pypi, Ruby Gems, home grown code, etc).
This stuff is expensive to scan, analyze and tag for vulnerabilities.
Scanners will try to use Mitre as a database, but honestly, you kinda get
what you pay for in this space. For me, I just rely on the errata [1] in
RHEL (and UBI) for "most" of my trust:
My 2c.
[1]: https://access.redhat.com/articles/2130961
Best Regards
Scott M
On Wed, Nov 6, 2019 at 5:25 AM Robert P. J. Day <rpjday(a)crashcourse.ca>
wrote:
not really a podman-related question, but a colleague asked about
the options for open source container security scanners. i know about
commercial offerings like black duck; what are the choices of the
denizens of this list? thank you kindly.
rday
--
========================================================================
Robert P. J. Day Ottawa, Ontario, CANADA
http://crashcourse.ca
Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
========================================================================
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
--
--
Scott McCarty, RHCA
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty(a)redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com
Have you ever wondered what happens behind the scenes when you type
www.redhat.com into a browser and hit enter?
https://www.redhat.com/en/blog/what-happens-when-you-hit-enter