What are the existing [container] artifact vuln scanners, databases, and specs?

tools, vuln databases

awesome-docker-security >
Container [vuln] scanning:

• @aquasecurity/#Trivy
• @quay/#Claire
• @project_harbor/#Harbor #CNCF
• @anchore/#Syft
• @anchore/#Grype
• #Dagda works w/ Falco
• @falco_org/#Falco #CNCF #sysdig
• @snyksec/#Snyk sends PRs
  https://github.com/myugan/awesome-docker-security#container-scanning

• List of CNCF open source security projects:
  https://landscape.cncf.io/card-mode?category=security-compliance&grouping=category&license=open-source
• https://analysis-tools.dev/tag/security
• https://github.com/TaptuIT/awesome-devsecops#dependency-management
• Trivy data sources:
  https://github.com/aquasecurity/trivy#data-sources
• https://github.com/anchore/grype
  • syft scans and generates a SBOM, grype does lookups etc
  • https://github.com/anchore/grype/tree/main/grype/matcher
• https://github.com/DependencyTrack
• https://github.com/eliasgranderubio/dagda
  • https://github.com/jeremylong/DependencyCheck
    • https://www.owasp.org/index.php/OWASP_Dependency_Check

      Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

  • ClamAV, Falco

standards

SBOM standards:

• https://cyclonedx.org/