anchore/yardstick

# yardstick 一个可以解析和比较漏洞扫描工具结果的工具。 管理与探索扫描结果： ``` # 为特定工具和镜像捕获新的扫描结果 yardstick result capture --image ubuntu:20.04 -t grype@v0.11.0 # 列出所有已捕获的扫描结果 yardstick result list # 交互式探索扫描结果 yardstick result explore ``` 管理与图像的真阳性/假阳性标签： ``` # 探索应用于特定图像和工具匹配的标签 yardstick label explore # 列出所有管理标签 yardstick label list ``` 支持的扫描器： - `grype` - `syft` ### 常见问题解答 *“为什么在列表中会有 syft？它不是一个漏洞扫描器！”* 你说的对，然而，捕获可以被 grype 消费的 SBOM 结果，或者在分析期间作为参考是非常有用的！ *“Yardstick 不支持漏洞扫描器 X…”* 欢迎提交 PR！这个工具的目标是提供分析能力， 以帮助我们更好地理解如何让这些扫描器更出色。 ## 结果集 结果集可用于对同时进行的扫描结果进行操作和跟踪。例如： ``` # .yardstick.yaml result-sets: example: matrix: images: - ubuntu:20.04 tools: - name: grype version: v0.32.0 - name: grype version: v0.48.0 ``` ``` # 为所有工具捕获结果 $ yardstick result capture -r example # 查看特定结果详情 $ yardstick result list -r example # 使用所有工具执行标签对比 $ yardstick label compare -r example ``` ## 配置 示例应用程序配置： ``` # .yardstick.yaml x-ref: images: &images - docker.io/cloudbees/cloudbees-core-mm:2.346.4.1@sha256:b8ec61aad2f5f9be2dc9c68923eab1de0e8b026176093ad2e0742fca310bf3bf result-sets: pr-vs-latest: description: "latest released grype vs grype from the current build" matrix: images: *images tools: - name: syft # go ahead and capture an SBOM each time to help analysis later version: v0.54.0 produces: SBOM - name: grype # from the latest published github release version: latest takes: SBOM - name: grype:pr # from a local PR checkout install (feed via an environment variable) version: env:CURRENT_GRYPE_COMMIT takes: SBOM ``` ## CLI 命令 ``` config show the application config label manage match labels add add a match label indication for an image apply see which labels apply to the given image and... compare compare a scan result against labeled data compare-by-ecosystem show TPs/FPs/Precision from label comparison... explore interact with an label results for a single image... images show all images derived from label data list show all labels remove remove a match label indication for an image set-image-parent set the parent image for a given image show-image-lineage show all parents and children for the given image result manage image scan results capture capture all tool output for the given image clear remove all results and result sets compare show a comparison between tool output explore interact with an image scan result images list images in results import import results for a tool that were run externally list list stored results sets list configured result sets show show a the results for a single scan + tool tools list tools in results ```

标签：DevSecOps, GPT, grype, SBOM, syft, Web截图, XML 请求, yardstick, 上游代理, 假阳性, 加密, 安全开发, 容器安全, 扫描结果解析, 文档结构分析, 日志审计, 标签管理, 活动识别, 漏洞扫描器, 漏洞比较, 漏洞管理, 真阳性, 硬件无关, 结构化查询, 结果对比, 结果管理, 结果追踪, 自动化安全, 请求拦截, 镜像扫描