Scanners like Clair are open source, but use data from the Linux
distros. To be honest, there's really nothing that great for content
layered on top of a Linux distro (pypi, Ruby Gems, home grown code, etc).
This stuff is expensive to scan, analyze and tag for vulnerabilities.
Scanners will try to use Mitre as a database, but honestly, you kinda get
what you pay for in this space. For me, I just rely on the errata  in
RHEL (and UBI) for "most" of my trust:
On Wed, Nov 6, 2019 at 5:25 AM Robert P. J. Day <rpjday(a)crashcourse.ca>
not really a podman-related question, but a colleague asked about
the options for open source container security scanners. i know about
commercial offerings like black duck; what are the choices of the
denizens of this list? thank you kindly.
Robert P. J. Day Ottawa, Ontario, CANADA
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
Scott McCarty, RHCA
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Have you ever wondered what happens behind the scenes when you type
into a browser and hit enter?