I’ve been trying to get Artifact Registry’s vulnerability scanner to pick up Rust dependencies in my uploaded images.
Right now, I’m compiling my binaries using cargo-auditable, and building the images using docker buildx build … –sbom=true. That seems to work fine – the built image has an embedded SBOM that includes OS and Rust-level dependencies.
When I upload to Artifact Registry, the embedded SBOM seems to be ignored, and its own scanner doesn’t pick up the embedded dependencies included by cargo-auditable. So, that’s maybe a feature request there.
I worked around this by including my Cargo.lock in the final container image. Feels silly to do it that way, but the dependency list at least is picking it up now.
I’m still seeing zero Rust vulnerabilities, though. (Expecting at least one – cargo audit does find one.) OS-level vulnerabilities show up as expected.
Is there 1. a better way to embed this information than copying in a Cargo.lock, and 2. a way to include Rust vulnerabilities in the scan, given that they’re being picked up as dependencies by Artifact Registry?