►
From YouTube: Trivy and Klar gap analysis discussion
Description
Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/299137
Also available with transcript at https://gitlab.zoom.us/rec/play/e6XlY_mvoNFM3-aVtQWKoBcOv0NxyFOb7xYoKhdCfux5k5SjcGoXt6h6jVXabHttlveRY2nfnfRPLrJT.3ajg5AU2IJ2Gyolo?continueMode=true&_x_zm_rtaid=E5s8gXsPRPeiXVHqA7sTrg.1612486799070.3410145e0576a7b55a3267f35dd3558d&_x_zm_rhtaid=344 (internal link)
A
Cool
well
good
morning,
you
guys
thanks
for
joining,
I
did
see
the
the
the
well
through
get
led
comments.
I
I
saw
the
work
in
adam.
I
know
I
know
I
haven't
really
seen
this
type
of
work
before,
but
really
impressed
with
the
the
quality
and
thoughtfulness
of
the
results.
So
thank
you.
This
is
really
great.
A
I
I
know
there's
kind
of
like
kind
of
six
general
issues
you
you
brought
up
in
your
analysis,
sam.
How
do
these?
How
do
these
meetings
normally
go?
Do
you
want
to
just
kind
of
go
through
the
topics
or
or
how
would
you
suggest
we
best
do
this.
B
You
know,
build
on
what
we've
got
today
with
claire
and
clar,
and
you
know
get
it
to
run
as
an
honorary
root
user
and
clean
up
some
of
the
documentation
around
it,
and
you
know
make
this
the
thing
that
we
really
built
built
our
foundation
on
going
forward,
and
you
know,
or
do
we
swap
it
out
for
trivi,
and
you
know,
there's
not
necessarily
a
right
or
a
wrong
answer,
but
we
do
want
to
come
to
a
decision
and
have
some
justification
for
that
decision
right.
C
Yeah
I'd
love
to
understand,
so,
if
I
could
suggest
a
format,
maybe
adam
can
give
us
a
quick
summary
of
each
of
the
items
he
posted
and
for
each
item.
I'd
love
to
understand
whether
we
think
that's
essential
to
fix
or
or
are
good
to
have
or
not
needed
at
all,
because
then,
with
that
information
engineering
can
take
that
back
and
say
all
right.
Here
are
the
estimates
to
to
addressing
these
things
and
then,
if
we
want
to,
we
can
get
into
details
of
how
to
address
them.
D
Yeah,
I
I
I
you
know
re
figured
that
I
was
gonna
have
to
go
through
each
of
these.
Probably
so
that's
that's
no
problem.
First
off.
I
want
to
say
that
yeah
now
that
I've
had
a
good
chance
to
look
into
trivia,
it's
pretty
impressive
and
I
think
if
I
could
have
gone
back-
and
we
didn't
know
about
trivia,
when
we
first
created
the
container
scanning
tool,
if
we
did,
we
probably
would
have
implemented
it
in
trivi.
It
seems
to
be
a
lot
more
powerful
and
full-featured
than
you
know.
D
The
claire
clark
kind
of
combination-
and
it
seems
to
also
be
a
lot
easier
with
respect
to
you,
know
the
dependencies
you
don't
need
like
with,
with
the
whole
container
scanning
tool
that
we
currently
have.
We
have
so
many
different
moving
parts.
D
You
know,
you've
got
clar
and
you've
got
claire
and
that
in
itself
is
and
you've
also
got
the
vulnerability
database
and
that's
a
real
pain,
all
those
three
different
things
going
on
so
actually
yesterday
I
spent
a
part
of
the
day
trying
to
swap
out
claire
and
clar
from
the
container
scanning
tool
and
switch
it
to
trivi.
Just
to
see
what
it
was
like
and
it's
amazing
how
much
code
it
cleans
up
because,
of
course,
all
of
this
stuff
of
starting
the
claire
server's
gone.
D
I
mean
I
didn't
write
about
this
stuff,
because
this
was
something
I
did
like
late
yesterday.
I
I
finished
late,
so
I
didn't
have
time
to
put
it
into
the
this
issue,
but
I
will
write
about
that
today,
but
yeah.
It
removes
a
lot
of
logic
and
code
and
set
up.
You
know
bootstrapping
type
of
code
from
the
claire
codebase
from
the
the
container
scanning
base.
So
it's
a
lot
easier
to
implement.
D
It
would
have
saved
us
a
lot
of
time
because
there's
a
lot
of
stuff
that
we
had
to
do
when
building
a
container
scanning
tool
just
to
get
the
clair
server
to
start
up,
make
sure
it's
running
print
the
log
messages
from
the
clear
server
you
know.
Do
it
asynchronously
like
that?
That
was
a
lot
of
work.
Actually
so
yeah
using
trivia
from
the
get
go
would
have
been
a
lot
easier.
D
The
vulnerability
database
stuff
that
as
well,
because
right
now
we're
really
relying
on
a
third
party
for
that
information
and
apparently
it
was
not
being
updated
for
two
months,
which
is
a
long
time
for
viruses
for
vulnerabilities
not
to
be
updated
and
also
for
us
not
to
even
know
that
these
vulnerabilities
weren't
being
updated,
because
that
was
something
that
I
think
just
came
up
in
the
past.
You
know
month
or
two
that
this
was
happening.
D
C
Just
just
a
comment
for
for
those
who
who
are
not
across
that,
so
I
think
mike
raised
it
and
what
happens
is
our
process
to
update
it
is
working?
It
runs
daily
and
yay.
We
got
an
up-to-date
vulnerability
database,
but
the
upstream
that
we
consume
had
had
been
stale
for
a
while
and
we
didn't
notice.
We
didn't
have
a
list
for
that,
so
we're
addressing
that
separately.
But
but
it's
a
good
point
that
I
don't
brought
up.
D
Yeah,
so
that
is
taken
care
of
pretty
easily
with
with
trivia
they've
got
their
own.
It's
like
a
git
repo
where
they
submit
the
vulnerabilities
to
which
is
the
same
thing
that
we've
done
with
gymnasium
having
our
vulnerabilities
in
a
git
repo,
so
yeah
that
part
is
easier.
There's
just
there's
a
whole
bunch
of
this
also
got
a
templating
language,
which
I
thought
was
super
cool.
The
log
output
is
is
much
better.
D
D
So
from
that
point
of
view,
like
I
said,
if
I
could
do
it
again,
I
would
I
would
have
done
this
in
with
trivia,
but
now
that
we
are,
you
know,
thinking
of
switching
out
well,
there's
two
things:
we're
thinking
of
switching
out
trivia,
claire
clark
for
clarence,
claire
for
trivia
and
switching
out,
possibly
go
for
ruby.
D
So
the
first
thing-
I
guess,
we'll
talk
about
some
of
the
the
things
we'll
start
off
with
the
log
messages,
and
this
is
one
that
you
know
you
could
pass
by
and
say:
oh,
it's
not
a
big
deal.
You
know
the
log
messages
are
good
that
come
from
from
trivi,
but
the
problem
is:
we've
had
a
lot
of
the
log
messages
that
we've
built
into
into
the
current
container
scanning
tool
have
come
from
bug
reports.
So
a
customer
didn't
understand
some
feature.
D
So
we
have
improved
the
the
log
message
so
that
it
explains
what's
what's
happening
like
the
first
one.
Here
is:
if
we
try
to
scan
an
image
from
a
secure
registry
without
configuring
the
certificate,
then
we
have
this
error
from
trivi.
That
explains
that
kind
of,
in
a
roundabout
way
that
it's
something
to
do
with
a
certificate.
But
if
you
do
the
same
thing
with
clar,
it
says
explicitly.
D
The
ssl
certificate
used
by
the
registry
is
bad
or
signed
by
an
unknown
authority.
Please
either
set
the
dot.
It
tells
you
exactly
what
to
do.
It
tells
you
where,
in
the
documentation,
you
should
look
to
fix
this,
so
that
that
I
think
that
would
be
a
real.
You
know
it
would
be
really
unfortunate
if
we
miss
out
on
those
types
of
things.
So
I
think
it
is
important
to
maintain
those
log
messages.
D
The
other
thing
and
there's
a
bunch
of
those
in
that
we
currently
have.
So
that's
something
I
would
really
recommend
re-implementing
in
trivi.
The
next
thing
is
the
message
format,
the
message
format,
that's
printed
is
straight
from
trivi
and
it
doesn't
follow
any
of
our
logging
formats
that
we
use
for
all
the
other
secure
analyzers,
since
we
use
there's,
there's
a
thing
called
the
common
package
and
that
is
made
available
to
all
go
based
code.
D
C
It
does
but,
but
you
have
to
upload
it,
I
I
I'll
have
the
chat
trans
transcript,
but
I
guess
I
can
paste
them
in
the
video
description.
D
Yeah,
in
any
case,
you're
you're
scrolling
down
on
this
window.
So
I'm
looking
at
number
two
here,
yeah,
so
log
message,
format
and
color
should
follow
the
standard
format.
So
you
can
see.
The
one
above
in
is
what
trivia
outputs,
which
is
its
own
internal
logging
format
and
the
one
below.
That
is
what
clark
outputs,
which
is
the
consistent
and
standardized
secure,
analyzer
logging
format.
So
it
you
know
you
could
you
could
just
let
trivia
output,
the
stuff?
My
preference
is
to
be
consistent.
D
C
With
the
go
on
sam
sorry,
I.
B
C
Yeah,
to
give
a
bit
of
context
what
I
said
so
so
to
me
the
required
is
hey.
Without
this
it'll
break.
It
won't
work
nice
to
have
that
it'll
work,
but
some
things
might
be
worse
and
then
things
that
we
don't
want
could
be
the
third
one.
I
I
I'm
in
doubt
about
the
first
one
being
a
nice
to
have,
because
from
reading
that
message
I
don't
know
adam.
Maybe
you
you
read
a
bit
more
than
that.
There's
an
x509
reference
there.
So
that's
a
hint
to
what's
happening.
C
We
we
could.
We
could
estimate
how
you
know
how
difficult
to
import
these
log
messages
are.
I'm
guessing
wouldn't
be
that
that
much
work.
It's.
D
Not
difficult,
we
already
have
the
code
in
the
container
scanning
tool.
All
the
only
difference
is
that
we
have
to
look
for
this
particular
error.
If
it
contains,
you
know
like
x509
like
that
string,
then
we
spit
out
our
own
custom
message
cool,
so
it's
not
difficult
to
do,
but
yeah
definitely
nice
to
haves.
I
see
the
downside
of
spitting
out
the
messages
like
this
is
that
you're
probably
going
to
get
more
bug
reports
for
things
that
have
already
been
solved.
B
Number
one:
when
we
do
fix
it,
we
probably
want
to
contribute
that
upstream
or
at
least
consider
contributing
upstream.
If
the
log
messages
are
just
bad,
then.
D
I
agree
with
that
as
well.
We
could
say
like
exactly
that
the
ssl
certificate
was
bad
or
signed
by
an
unknown
authority
that
you
know
would
probably
be
really
helpful
to
commit
upstream,
okay
moving
on
the
next
one.
This
is
bigger.
This
is
the
ci
job
log
output,
so
you
can
click
that
link
there
or
maybe
it's
yeah.
I
don't
I'm
right
now.
No,
no
close
that
one,
I
was
gonna,
say.
D
Problem,
the
problem
is
that
my
screens
are
in
they're
in
portrait
mode.
So
it's
going
to
look
terrible
on
this
video
and
everyone's
going
to
struggle
to
see
it.
So
it's
kind
of
yeah,
it's
kind
of
better.
If
someone
else
does
it,
you
can
close
that
window.
A
D
D
Maybe
collapse
the
sidebar
on
the
left
bottom,
so
it
looks
a
little
bit
better
anyway.
So
that's
the
output
that
we
currently
get
with
with
the
current
container
scanning
tool.
This
nice
table,
so
trivia
can
also
output
a
table
and
it
actually
looks
really
good
the
table
that
it
outputs.
The
problem
is
that
there's
no
way
to
trivia
will
either
output
a
text
file
like
with
the
json
of
the
vulnerabilities
or
it'll
output
the
table,
so
you
can't
get
it
to
do
both.
D
So
that
means
that,
in
order
to
solve
this,
you
either
need
to
run
trivia
twice
or
you
need
to
run
it
once
and
then
you
know
ingest
that
json
file
and
you
know,
use
the
logic
to
manipulate
it
and
spit
out
a
table.
D
Yeah
that
that
could
definitely
be
two
flags
because
you
would
implement
the
way.
I
said
you
would
pretty
much
generate
the
report
and
then
you'd
you
know,
convert
that
report
into
the
you
know,
pass
it
to
the
table.
Writing
output.
That's
definitely
more
difficult,
because
I've
actually,
since
putting
trivi
into
the
current
container
scanning
tool,
we
just
get
this
for
free,
it
just
works.
So
that's
one
thing
that
we
don't
have
to
worry
about.
That's
that's
the
difference
between
switching
from
go
and
ruby.
D
If
we
do
this
in
ruby,
we
need
to
solve
this.
We
need
to
either
run
trivi
twice,
which
is
an
efficiency
pro.
You
know
both
time
consuming
and
also
wasting
resources,
because
you've
got
to
wait
for
two
scans
and
if
a
scan
they
do
cache
the
information
apparently,
but
in
that
same
issue
that
I
linked,
where
only
one
output
format
can
be
specified
at
a
time
one
of
the
people
that
you
can
go
to
that.
Actually,
if
you
want,
if
you
click
back
to
the
the
issue.
D
It
was
printed,
oh
that
yeah,
I
think,
a
bunch.
The
dependency
scanning
does
as
well,
because
we
have
some
issues
to
fix
the
table
output
of
dependency
scanning.
So
yes,
it's
different
analyzers
yeah.
So
if
you
click
on
the
go
to
the
next
tab,
sorry
to
cut
you
off,
were
you
going
to
say
something
else?
Yago.
B
Yeah,
so
I'm
I'm
thinking
about
that
as
we
talk
about
it
and
I'm
almost
leaning
towards
this
first.
My
my
first
instinct
was:
this
is
a
must-have,
because
you
know
we're
impacting
the
usability
of
it
in
a
pretty
significant
way,
but,
as
I
think
about
it,
so
right
now
container
scanning
is
only
available
for
gold
and
ultimate,
which
means
that
they
have
access
to
the
vulnerability
dashboard
to
view
these
on.
B
D
When
I
first
implemented
container
scanning
and
we
deviated
from
the
previous
table
output,
I'm
pretty
sure
we
had
people
complaining
immediately.
You
know
that
the
output
was
different.
D
Yeah-
and
I
can
tell
if
you
take
away
that
table,
I
think
you're
going
to
have
a
lot
of
unhappy
people
all
right.
I
mean
personally,
I
like
personally
from
just
I
run
container
scanning
all
the
time.
I
love
that
output
and
I
would
be
really
really
unhappy
if
that
output
were
to
go
away
because
it
makes
it
gives
a
really
quick
overview.
Because
you're
not
remember
this,
some
people
will
run
this
differently
as
well.
They
might
not
run
it
in
the
ci
environment,
they
might
run
it
standalone.
D
So
if
you
run
this
docker
image,
you
get
all
this
nice
output,
but
as
soon
as
you
take
that
out,
you
have
no
output
and
it's
it's
really
nice
to
see
what
was
approved
there.
You
know
just
it's
a
really
quick
overview.
Like
I
said
for
me,
I
it
would
be.
I
would
be
really.
I
would
be
the
first
person
complaining,
but
it's.
D
Click
on
the
next
tab
over
the
multiple
report
options.
So
this
is
where
someone
was
you
know
complaining
about
that
saying:
can
we
get
it
to
output
twice?
Can
we
get
it
to
do
two
different
formats
at
once,
and
then
this
is
the
person
at
the
very
bottom
where
they
said
after
implementing,
because
one
person
responded
said
that
the
scan
results
are
cached
and
the
second
scan
will
skip
downloading
layers.
So
it
should
be
fast
enough,
but
then
this
person
responded
and
said
that
their
scan
took
30
minutes
rather
than
20..
D
So
because
of
that
yeah,
I
think
we
would
have
to
implement
it
ourselves,
but,
like
I
said,
if
we
swit,
if
we
stick
with
go,
it's
already
done
that
logic
is
there.
I
tried
it
yesterday
and
it
prints
out
a
table
exactly
as
we
have.
C
D
Yeah,
but
you
know
there
is
a
lot
of
stuff
related
to
this.
Like
the
log
messages,
the
you
know,
all
of
the
stuff.
D
Yeah
yeah,
okay,
so
moving
on
to
the
next
one,
the
air
gapped
instance.
So
this
one
yeah
we're
gonna
have
to
expose
the
skip
update
flag
on
trivia
because
trivi,
I
guess
the
the
way
it
works
for
us.
Is
that
sorry,
one
sec!
I
just
want
to.
D
D
So
yeah
so
the
way
that
the
the
the
current
the
image
that
john
made
it
includes
the
current
vulnerability
database
from
from
trivi.
So
it
downloads
it
and
it
includes
it
in
in
the
image.
But
I
noticed
that
I
think
there
must
be
some
code
that
checks
the
age
of
the
vulnerability
cache
and
if
it's
older
than
I
don't
know
how
many
hours
or
days
it'll
try
to
refresh
it.
D
C
D
Yeah
but
just
yeah
for
everybody
else,
listening
if
we
rebuild
the
image
daily,
but
the
customer
doesn't
download
it
daily,
they
download
it
weekly
then
they'll
run
into
this
problem.
D
Whatever
it
is,
though,
we
would
need
to
do
both
we
would
need
to
well.
We
would
need
to
do
our
own
logic
to
do
to
pretty
much
reimplement
what
trivia
does
on
how
it
checks
the
age
of
the
database
and
we'd
have
to
say:
hey.
This
database
is
older
than
five
hours,
it's
probably
out
of
date.
You
should
think
about
updating,
but
we
would
have
to
put
this.
We
pretty
much
have
to
run
trivia
with
the
skip
update
flag,
all
the
time
to
make
sure
that
it
doesn't
try
to
update
well.
C
D
It
yeah
it's
yeah,
so
we
would
we
would
expose
it.
We
would
have
some
skip
update
option.
We
actually
know
we
wouldn't
enforce
it
by
default.
We
would
have
the
customer
would
have
to
run
into
this
issue
or
we'd
have
to
say
in
an
offline
environment.
You
should
set
this
because
yeah
we
don't.
We
don't
know
whether
they're
running
in
an
offline
environment
or
not.
So
we
expose
that
and
yeah
that
that's
we.
C
I
had
a
I
had
a
a
a
different
mix
of
that.
I
think
there
are
iterations
on
the
same
ideas
like
for
a
first
implementation.
You
can
always
pass
it
in
so
it
doesn't
break
and
then
we
can
look
as
a
next
step
to
add
a
flag
that
allows
the
you
expose
the
flag,
so
the
user
can
control
it,
what
they
want
to
happen
and
then
there's
a
third
thing
or
maybe
a
second
is
implement
the
warning
to
say:
hey
your
your
database
is
pretty
old.
C
You
should
you're,
probably
not
catching
the
latest.
The
latest
vulnerabilities.
D
I
think
defaulting
to
not
updating
the
database
is,
is
def,
that's
the
riskiest.
You
know
approach
because
you
know
I
can't
really
it
cl.
Clara
hasn't
had
its
up
database
updated
for
two
months,
so
you
know
that
we
can't
don't
really
have
a
lot
of
credibility.
There.
D
Again,
yeah,
but
the
thing
is
it's:
it's
the
risky
approach
like
for
me.
I
would
prefer
to
err
on
the
side
of
being
cautious,
because
you're
yeah
you're
going
to
frustrate
some
people
in
an
offline
environment,
but
they're
probably
going
to
go
through
this
people
that
are
not
in
an
offline
environment
want
this
behavior
yeah.
I'm.
A
Could
I
could
I
answer
a
question:
is
the
with
the
goal
for
this
minimum
viable
to
for
anybody
to
actually
use
it
in
a
production
environment,
or
would
we
tell
customers
that
this
is
a
beta
that
they
could?
You
know,
try
out,
but
we
don't
recommend
for
production.
C
C
It
will
be
available
in
3010
and
1311
and
then
on
14,
we'll
switch
to
to
the
new
one.
So
we'll
get
some
some
alpha
beta
testing
of
it
out
of
it
before
we,
we
make
the
switch,
and
that
could
give
us
time
to
to
actually
put
the
the
warnings
and
and
remove
the
hard
code.
Just
a
suggestion.
A
C
D
So
yeah,
I
guess
we
can
discuss
this
later
because
it
seems
like
there's
a
lot
more
nuances
to
whether
you
enable
it
by
default
or
not.
We
don't
have
to
solve
that
now.
The
next
thing
is
that,
as
far
as
point
number
three
so
go
back
to
the
running
container
scanning
yeah,
so
point
number
three:
if
we
build
a
new
container,
so
this
is
more
of
like
we
need
to
figure
out
what
we're
gonna
do
in
this
case.
D
If
we,
if
we
build
a
new
container
scanning
image
every
day,
we'll
always
have
the
latest
trivia
vulnerabilities
database
update
available.
But
do
we
need
to
you
know,
version
these
images
differently
like
right
now,
for
example,
we'd
have,
like
you
know,
container
scanning
3.0
3.0.1.
Do
we
do
like
3.0.1-1?
D
D
Yeah
next
thing
is
that
scanning
an
image
on
a
secure
registry
by
setting
the
yeah,
the
additional
ca
server
bundle
doesn't
seem
to
work.
I
didn't
look
into
this
in
detail.
I
just
tried
it
with
the
you
know,
exact
same
setup
that
we
currently
have
it
works
with
clar.
It
doesn't
work
with
the
current
g.
You
know
tool,
I'm
not
sure
why
that
is
I
just
yeah.
It
could
be
something
it's
definitely
a
required
one.
That's
definitely
required
one
yeah,
okay,
any
discussion
there
or.
C
D
Entry
there,
okay,
the
differences
in
the
report
jason,
so
the
big
one
is
that
the
vulnerability
ids
are
in
the
report
are
different
between
truvian
clar.
I
think
this
is
just
a
case
of
the
way
that
john
is
ingesting
the
you
know,
identifier
values.
I
think
if
he
were
to
change
the
way
that
he
manipulates
them
before
generating
the
report.
D
B
D
I
would
say
it's
pretty
easy
to
implement
this,
so
it
would
be
a
shame
not
to
yeah
yeah.
The
remediations
aren't
supported
I'm
not
again,
I'm
not
sure
why
it's
apparently
they
should
be,
but
I
didn't
look
too
deeply
into
why
that's
not
working
and
then
there's
a
bunch
of
differences
like
this
is
something
the
severity
levels
between
clare
and
trivia
seem
to
be
different.
D
That,
I
guess,
is
just
something
we'll
have
to
deal
with.
It's
probably
a
good
thing.
You
know,
maybe
the
database
is
different
again.
I
didn't
look
in
too
deeply.
Why
that's
happening
and
then
the
vulnerability
deal
list
is
different
between
trivia
and
clar.
There's
a
bunch
of
there's.
I
outlined
all
of
the
different
areas
of
the
json
report,
where
you
know
like
there's
a
url
in
the.
D
I
think
that's
just
some
of
it
is
because
john
just
didn't,
you
know
translate
these.
You
know
these
values,
but
it's
just
something
that
I
know
the
data
might
be
there,
the
data's
all
there.
It's
just
a
matter
of
changing
it,
massaging
it
into
the
format
that
we
want
so
and
this
is
it
the
vulnerability
cve.
You
can
see
there
it's
alpine
for
clare,
it's
alpine
3.7,
cbe,
blah
blah
and
for
trivia,
it's
only
cbe
2019.
I
think
that's
why
the
ids
are
being.
You
know
changed.
D
B
D
Okay:
let's
go
to
general
issues,
yeah
the
vulnerability
names
not
being
reported
in
some
cases
against.
I
think
it's
a
data
issue
as
far
as
we
need
to
convert
some
stuff
private
repo
scanning
isn't
supported.
So
that's
a
bug
that
needs
to
be
fixed
because
there's
a
username
and
password
that
has
to
be
set
which
we
do
by
default
with
clar
and
the
gcs
version
doesn't
do
that.
It's
an
easy
enough
update.
Another
thing
is
where
gcs
saves
the
report,
the
container
scanning
report,
it
doesn't
save
it
into
the
ci
projector.
D
Yeah,
there's
there's
two
things
and
I
use
them
interchangeably,
there's
gcs
and
there's
gtcs.
I'm
not
really
sure
why
the
name
was
changed
in
the
docker
image,
but
just
yeah,
I
guess
think
of
them.
Interchangeably
or
maybe
gcs
is
the
actual
project.
Gtcs
is
the
tool
used
to
you,
know,
scan
and
then
vulnerability.
Allow
listing
is
not
supported
and
that's
something
that
we
do
have
currently
implemented
in
in
the
container
scanning
tool.
D
So
last
or
next
is
what
needs
to
change
so
scroll
down
a
bit
further.
One
needs
to
change
in
the
container
scanning
tool
template
to
use.
Gcs
I've
created
a
branch
that
implements
the
changes.
It's
pretty
much,
just
removing
the
reliance
on
starting
up.
It
removes
a
lot
of
the
reliance
on.
I
think
starting
up
claire
is
another.
The
claire
db
is
another
service.
It's
it's
a
lot
of.
It's
yeah
smalls
good
changes
because
it
it
removes.
It
simplifies
the
the
template
file
and.
C
D
Yeah,
it's
already
yeah,
it's
already
done
in
the
go
version.
So
if
we
stick
with
go
then
we
have
the
allow
listing
again.
It's
not
something.
That's
super
difficult
to
do
in
you
know
ruby,
but
it's
just
an
another
thing.
C
Yeah,
like
the
first,
the
first
iteration
is
going
trivia
in
golang
and
then,
if
the
team
decides
that
you
know
what
ruby
is
much
more
appropriate
for
this
engineering
team,
it
allowed
more
people
to
work
on
it.
The
the
tests,
probably,
I
think,
have
some
improvement
as
well.
So
anyway,
as
I
said,
it's
an
engineering
discussion.
D
Yeah
the
other
thing
so
yeah
we
have
do
all
non
claire,
specific
settings
work
and
now
I've
we've
already
discussed
a
bunch
of
things
that
that
don't
currently
work
and
then
yeah
the
other
stuff
like
clear,
specific
settings.
There's
a
clear
output,
the
severity
level
threshold
which
that's
something
that
we've
been
meaning
to
rename
in
container
scanning
to
something
more
generic,
such
as
severity
level
threshold.
D
Again,
that
would
probably
be
something
we
would
yeah
we'd
have
to
implement
that
ourselves
and
then
some
other
gcs
settings
that
need
to
be
changed,
which
are
just
like
renaming
some
variables
and
adding
a
registry
and
secure
variable
and
then.
Finally,
with
the
last
two
minutes,
we
have
go
versus
ruby.
D
So
this
is
about
if
we
switch
to
ruby,
there's
a
lot
of
stuff
that
we
lose
that
is
implemented
in
the
common
package,
such
as
logging
vulnerability,
identifier,
parsing,
struct,
definitions,
vulnerability,
sorting.
This
is
all
stuff
that
we
get
for
free
right
now
that
we
have
to
reimplement
and
re-test
and
there's
also
the
other
considerations
such
as
needing
to
run
trivia
twice,
which
we
don't
need
to
do.
D
If
we
switch
stick
with
the
go
version
and
also
because
trivia
is
also
written
in
go,
we
can
just
take
stuff
from
their
code
base
and
stick
it
into
our
code
base.
So,
for
example,
the
table
writing
code
is
pretty
good
in
trivia.
So
I
would
like
to
just
take
that
and
stick
it
into
our
container
scanning
tool,
and
we
can
do
that
pretty
easily,
because
we
can
just
take
this
as
it
is,
and
the
tests
and
everything
else
that
they
have
and
we
can
stick
that
into
into
our
code.
B
B
You
know
estimate
wise
and
I
don't
know
how
long
you
need
thiago
to
to
put
that
together.
But
how
soon
do
you
think
we'll
be
ready
to
kind
of
bring
this
to
the
team
and
make
a
final
decision
here.
C
I'm
hoping
to
do
this
week.
I
know
I've
only
got
two
days
and
tomorrow
is
team
day.
Actually
so
maybe
any
I'm
gonna
need
monday
to
to
wrap
it
up
sure
I
have
a
call
with
jan
tonight.
I
have
a
call
with
my
chie
and
I
can
always
reach
out
to
me
I'll.
Do
it
as
synchronously
anyway
I'll
ask
people
to
watch
this
video
so.
C
B
Maybe
our
next
group
meeting
of
tuesday
of
next
week
it
would
be
what
wednesday,
your
time
yep.
D
You
saying
something:
no,
I
just
want
to
say
like
just
to
john
who's
going
to
watch
this
video
later,
like
yeah
great
work
on
the
gcs
tool.
Yeah,
it's
it's!
It
was
really
easy
to
use
and
yeah,
and
I
looked
through
the
ruby
code.
You
could
does
some
really
great
stuff
there.
C
Awesome
so
so,
sam
and
karen,
my
my
request
to
to
pm
is
just
confirm
the
nice
to
haves
and
required
ones
there.
We
have
an
idea,
but
it'd
be
good
to
to
have
it
there
and
then
we'll
take
that
and
for
the
required
and
nice
to
haves.
I
think
we
need
to
do
two
estimates.
I
think
it
would
be
helpful
to
do
two
estimates.
C
D
A
Yeah
thanks
guys
so
works
really
impressive,
working
synchronously
then
so.
Thank
you.