grant
grant copied to clipboard
anchore
Search an SBOM for licenses and the packages they belong to
Grant consumes syft as it's default SBOM generator when users don't bring their own bill of material. This issue is a placeholder to incorporate changes in syft where source analysis...
:wave: I pointed `grant` at a folder, a mounted squashfs file, distributed from an app store (specifically the alacrity desktop terminal software package from the snap store). Partway through the...
:wave: I ran `grant check` against a folder which contains an installation of Android Studio. It ran for a while then crashed. ``` android-studio ⠇ Checking licenses ━━━━━━━━━━━━━━━━━━━━ panic: send...
https://deps.dev/ - is an open source handled by google, which contains data on packages. it also includes data on licenses, which not always can be extracted in syft. my suggestion...
Hello, When I want to check the licenses of a given images, it is important to me to understand in which layer the package exists. This information is already provided...
Hi, Might be a good idea to add a "severity" to each rule (default can be unknown). can help users to prioritize licenses issues (like with CVEs). ``` rules: -...
Hi, I tried to run the binary using a simple config file as specified in the documentation: ``` #.grant.yaml config: ".grant.yaml" format: json # table, json show-packages: false # show...
### Placeholder for design on interactive report viewer
SPDX makes a distinction between declared and concluded packages. Declared: "List the licenses that have been declared by the authors of the package" Concluded: "Contain the license the SPDX document...
Some examples of this would be to generate a policy of exclusions from an image that is already known as compliant. Example: ``` grant policy --exclude image:base:latest ``` ^ This...