{"id":15221870,"url":"https://github.com/googlecloudplatform/aactl","last_synced_at":"2025-10-20T01:30:26.785Z","repository":{"id":190174580,"uuid":"614624914","full_name":"GoogleCloudPlatform/aactl","owner":"GoogleCloudPlatform","description":"Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.","archived":false,"fork":false,"pushed_at":"2025-01-27T12:52:06.000Z","size":24740,"stargazers_count":10,"open_issues_count":31,"forks_count":6,"subscribers_count":14,"default_branch":"main","last_synced_at":"2025-01-31T00:45:53.021Z","etag":null,"topics":["artifact","attestations","build","container","cosign","gcb","gcp","import","predicate","sbom","sigstore","slsa"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoogleCloudPlatform.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-16T01:13:48.000Z","updated_at":"2024-11-26T21:09:59.000Z","dependencies_parsed_at":"2024-04-30T13:44:10.636Z","dependency_job_id":"9b3ed656-1b1a-47f8-ae5f-3cd69fdee8df","html_url":"https://github.com/GoogleCloudPlatform/aactl","commit_stats":null,"previous_names":["googlecloudplatform/aactl"],"tags_count":21,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Faactl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Faactl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Faactl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Faactl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoogleCloudPlatform","download_url":"https://codeload.github.com/GoogleCloudPlatform/aactl/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237243005,"owners_count":19278060,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifact","attestations","build","container","cosign","gcb","gcp","import","predicate","sbom","sigstore","slsa"],"created_at":"2024-09-28T15:08:25.870Z","updated_at":"2025-10-20T01:30:16.775Z","avatar_url":"https://github.com/GoogleCloudPlatform.png","language":"Go","readme":"# aactl\n\nGoogle [Artifact Analysis (AA)](https://cloud.google.com/artifact-analysis/docs/artifact-analysis) service data import utility, supports OSS vulnerability scanner reports, SLSA provenance, and sigstore attestations.\n\nAACTL is a sample tool that shows Google Cloud customers who use Artifact Registry how they can ingest vulnerabilities detected by supported scanning tools into Artifact Analysis.  Once ingested, vulnerabilities will be stored \u0026 managed alongside vulnerabilities detected by Artifact Analysis. Vulnerabilities are viewable within Artifact Registry UI, SDS Security Insights, gcloud, and Artifact Analysis API (Container Analysis).\n\nAACTL can also ingest SLSA Build Provenance generated by [SLSA GitHub Generator](https://github.com/slsa-framework/slsa-github-generator).\n\n\u003e Detailed installation instruction are available [here](INSTALLATION.md).\n\n## Usage \n\n`aactl` supports imports of two data types: `vulnerability` and `attestation`.\n\n\u003e In addition to CLI, `aactl` can also be used in your CI/CD pipeline as a Google Cloud Build builder ([example](examples/cloud-build/README.md)) or GitHub Actions action ([examples](examples/github-actions/README.md)).\n\n### Vulnerability \n\nTo import vulnerabilities output by either [grype](https://github.com/anchore/grype), [snyk](https://github.com/snyk/cli), [trivy](https://github.com/aquasecurity/trivy) scanners, start by exporting the report in JSON format: \n\n* [grype](https://github.com/anchore/grype)\n\n  `grype --add-cpes-if-none -s AllLayers -o json --file report.json $image`\n\n* [snyk](https://github.com/snyk/cli)\n\n  `snyk container test --app-vulns --json-file-output=report.json $image`\n\n* [trivy](https://github.com/aquasecurity/trivy)\n\n  `trivy image --format json --output report.json $image`\n\nOnce you have the vulnerability file, importing that file into AA using `aactl`:\n\n```shell\naactl vulnerability --project $project \\\n                    --source $image \\\n                    --file report.json\n```\n\n\u003e The $image variable in the above example is the fully qualified URI of the image including its digest (e.g. `us-docker.pkg.dev/project/repo/image@sha256:397d453...`).\n\nTo review the imported vulnerabilities in GCP:\n\n```shell\ngcloud artifacts docker images list $repo \\\n  --show-occurrences \\\n  --format json \\\n  --occurrence-filter \"kind=\\\"VULNERABILITY\\\" AND resource_url=\\\"https://$image\\\"\"\n```\n\nYou can also navigate to Artifact Registry to view the vulnerabilities there. \n\n![](examples/images/ar-vulns.png)\n\n### Attestation\n\nIn addition to vulnerabilities, `aactl` can also import [sigstore](https://github.com/sigstore) attestations:\n\n```shell\naactl attestation --project $project --source $image\n```\n\n\u003e The $image variable in the above example is the fully qualified URI of the image including its digest (e.g. `us-docker.pkg.dev/project/repo/image@sha256:397d453...`).\n\nThe imported data can be accessed using `gcloud`:\n\n```shell\ngcloud artifacts docker images describe $image --show-provenance --format json\n```\n\nThe resulting JSON will look something like this: \n\n![](examples/images/slsa-console.png)\n\nThe data can also be viewed in Software Delivery Shield side panel:\n\n![](examples/images/side-panel.png)\n\n\u003e SLSA level is currently not parsed properly, WIP.\n\n## Contributing\n\nEntirely new samples are not accepted. Bug fixes are welcome, either as pull\nrequests or as GitHub issues.\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to contribute.\n\n## Licensing\n\nCode in this repository is licensed under the Apache 2.0. See [LICENSE](LICENSE).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Faactl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgooglecloudplatform%2Faactl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Faactl/lists"}