Feature/lab4

[Uiyrte]

Goal

Compare container security analysis tools — Syft+Grype and Trivy — in terms of package detection accuracy, vulnerability detection, license coverage, and integration into CI/CD pipelines.

Changes

• SBOM outputs from Syft and Trivy were analyzed.
• Vulnerability scans were performed using Grype and Trivy.
• License reports were compared, including the number of unique licenses.
• Additional security features (search for secrets, built-in keys) are appreciated.
• Recommendations have been compiled for the use of each tool in various scenarios.

Testing

• Generated SBOM files from Syft.
• Trivy images have been scanned (including licenses and secrets).
• Repeated scanning of SBOM with Grype has been performed.
• The results were compared in terms of the number of packages, CVE, license types, and EPSS estimates.
• CI/CD integration tested: policy setup, artifact retention, re-scans.

Artifacts & Screenshots

• juice-shop-syft-native.json — Syft SBOM
• grype-vuln-results.json — Grype vulnerability report
• trivy-vuln-results.json — Trivy vulnerability report
• Comparison tables: CVE, licenses, EPSS, risks
• Markdown report with integration recommendations

Checklist

• Clear title
• Docs updated if needed
• No secrets/large temp files
• Task 1 done — SBOM Generation with Syft and Trivy
• Task 2 done — SCA with Grype and Trivy
• Task 3 done — Comprehensive Toolchain Comparison