Support for artifacts built by webpack (static module bundler for JavaScript)

[sseelmann]

Description

Hello,

we have a JavaScript app which uses webpack to bundle the app including its npm dependencies into a single js file. Currently Trivy isn't able to detect any vulnerable packages included, neither using trivy fs nor when packaged into a container image using trivy image.

Would it be possible to support scanning such artifacts?

Is there a workaround when doing the image scan? (adding package-lock.json to the image isn't considered by trivy image)

Thanks,
Stefan

Target

Container Image

Scanner

Vulnerability

[itaysk]

there are some cases where package information is lost during build time, for this reason it's recommended to scan the source code and not only the build artifacts. if you want to preserve the information you can generate SBOM from source

[nikpivkin]

@sseelmann FYI, You can use this plugin to generate an SBoM that can be scanned by Trivy.