Robert,
     Scanners like Clair are open source, but use data from the Linux distros. To be honest, there's really nothing that great for content layered on top of a Linux distro (pypi, Ruby Gems, home grown code, etc). This stuff is expensive to scan, analyze and tag for vulnerabilities. Scanners will try to use Mitre as a database, but honestly, you kinda get what you pay for in this space. For me, I just rely on the errata [1] in RHEL (and UBI) for "most" of my trust:

My 2c.

[1]: https://access.redhat.com/articles/2130961

Best Regards
Scott M

On Wed, Nov 6, 2019 at 5:25 AM Robert P. J. Day <rpjday@crashcourse.ca> wrote:

  not really a podman-related question, but a colleague asked about
the options for open source container security scanners. i know about
commercial offerings like black duck; what are the choices of the
denizens of this list? thank you kindly.

rday

--

========================================================================
Robert P. J. Day                                 Ottawa, Ontario, CANADA
                         http://crashcourse.ca

Twitter:                                       http://twitter.com/rpjday
LinkedIn:                               http://ca.linkedin.com/in/rpjday
========================================================================
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io


-- 
-- 
Scott McCarty, RHCA
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty@redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com
Have you ever wondered what happens behind the scenes when you type www.redhat.com into a browser and hit enter? https://www.redhat.com/en/blog/what-happens-when-you-hit-enter