grafeas
Artifact Metadata API (by grafeas)
vimp
Compare data from multiple vulnerability scanners to get a more complete picture of potential exposures. (by mchmarny)
grafeas | vimp | |
---|---|---|
3 | 1 | |
1,502 | 54 | |
0.7% | - | |
5.8 | 8.5 | |
28 days ago | 7 months ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
grafeas
Posts with mentions or reviews of grafeas.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-11-15.
-
Securing CI/CD Images with Cosign and OPA
Grafeas: While Grafeas offers a comprehensive solution for the software development lifecycle, it is not designed for public or open-source software (OSS) image verification. It's better suited for first-party integration, particularly with Google Kubernetes Engine (GKE).
-
Open source container scanning tool to find vulnerabilities and suggest best practice improvements?
https://github.com/grafeas/grafeas 1.4k stars, updated last week
-
Anyone else using Universal Resource Names (URN) for Asset Tracking and Automation?
Yes I have been looking at this notably related to relationships to vulnerabilities and leveraging grafeas. Which uses a resource uri to relate to a container but could equally be an os on a host. As we use azure, aws, google and have on premise I agree makes some sense to do this. My use case is somewhat easier as DNS names make some sense but the base part of resource has to indicate it is on premise and has to name space independent of the cloud so using the core company DNS name in a similar way the cloud providers do. Other than that looking to leverage many of concepts in grafeas.
vimp
Posts with mentions or reviews of vimp.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-04-15.
-
Open source container scanning tool to find vulnerabilities and suggest best practice improvements?
Something I saw recently was https://github.com/mchmarny/vimp which does vulnerability checking via multiple different tools; haven't used it too much yet but could be quite handy.
What are some alternatives?
When comparing grafeas and vimp you can also consider the following projects:
dagda - a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
notation - A CLI tool to sign and verify artifacts
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
grype - A vulnerability scanner for container images and filesystems
clair - Vulnerability Static Analysis for Containers