Does Grafeas support SAST and DAST scan reports?
74 views
Skip to first unread message
Yash Bansal
Jun 8, 2020, 6:23:02 AM6/8/20
to Grafeas Users
Hi,
I was reading the protobuf specification of Vulnerability Kind. It seems that Vulnerability kind is focused on metadata produced container scanners such as Anchore/Snyk. Am I right here? Is it possible to store metadata and scan results generated by a dynamic scanner such as Arachni?
The use case could be scanning a web application in dev environment before deploying it to production?
Camilo Aguilar
Aug 21, 2020, 10:48:04 AM8/21/20
to Grafeas Users
It may or may not be focused on that type of metadata. However, the important thing to highlight is that you are free to define your own metadata types as well.
Wiktor Kozlik
Sep 2, 2020, 11:58:43 AM9/2/20
to Grafeas Users
The Vulnerability Kind is not well suited for storing SAST and DAST information. (The existing type can be thought of as a “Package Vulnerability” since it holds package specific fields in Details).
There was a related discussion on a similar topic some time ago that provides more details: https://github.com/grafeas/grafeas/issues/164
We would definitely be open to a schema proposal to store SAST and DAST information in Grafeas. Feel free to make a proposal to change the schema.
There was a related discussion on a similar topic some time ago that provides more details: https://github.com/grafeas/grafeas/issues/164
We would definitely be open to a schema proposal to store SAST and DAST information in Grafeas. Feel free to make a proposal to change the schema.
Reply all
Reply to author
Forward
0 new messages