Vulerability scanning

Vulerability scanning

SBoMs can be used for vulnerability scanning

All components of an artifact are listed with version numbers

Matching against CVE databases provides unfixed vulnerabilities

Scan can be repeated at any time


Example workflow

sbom-operator listens for events on pods , generates an SBoM for an image…

…and stores it in a git repository

vulnerability-operator enumerates the SBoMs in the repository

…scans them for vulnerabilities and publishes metrics

Prometheus and Grafana can scrape and visualize them


Demo

See SBoMs in git

See metrics in Grafana