Attach vulnerability information to image metadata

[tazjin]

Idea from talking to colleagues: Using a dataset like broken.sh by @andir it would be interesting to attach metadata to Nixery image layers about potential known vulnerabilities in those layers.

Since each layer is a set of packages, this translates rather nicely.

Specifically I'm thinking to use the history field to add package information to the "Created by" field and extra information such as vulnerabilities to the "Comment".

[malte-behrendt]

I'm looking for a vulnerability scanner which is able to scan nixery/nixos images.
Ideally showing results in Harbor right away.

Is anyone aware of a scanner which works with nixery images and/or how to configure such a scanner?