github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:09:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add trivy-based sbom artifact generation support (#4088)

Browse Source 
fixes issue #4067

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
This commit is contained in:
Ramkumar Chinchani
2026-05-23 23:24:12 -07:00
committed by GitHub
parent d8fb19819b
commit 4e4d00a0a6
12 changed files with 712 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/README.md
+3 -1
View File
@@ -1296,6 +1296,8 @@ A minimal configuration only sets how often the DB is refreshed; zot applies def
To set those options explicitly (for example to mirror standalone Trivys `--vuln-severity-source` behavior), use a `trivy` object under `cve`:
- [config-cve-trivy.json](config-cve-trivy.json) — shows optional `dbRepository`, `javaDBRepository`, and `vulnSeveritySources`.
- [config-cve-trivy.json](config-cve-trivy.json) — shows optional `dbRepository`, `javaDBRepository`, `vulnSeveritySources`, and `sbom`.
`vulnSeveritySources` is a list of source names in priority order (for example `auto`, `nvd`, or vendor IDs such as `redhat`, `alpine`). If omitted, zot defaults it to `["auto"]`, consistent with the Trivy CLI. See [Trivy: severity selection](https://trivy.dev/docs/latest/scanner/vulnerability/#severity-selection).
`sbom.enable` lets zot generate SBOMs while scanning and store them as OCI artifacts attached to the scanned image. `sbom.format` supports `spdx-json` (default) and `cyclonedx`.