feat: attest support for Singularity images #1201
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tri-adam
force-pushed
the
singularity-attest
branch
2 times, most recently
from
6796ced
to
b0a8133
Compare
tri-adam
force-pushed
the
singularity-attest
branch
from
b0a8133
to
3498d15
Compare
|
Hey @tri-adam! I saw all the checks have passed for this - do you want a review or did you have more to add on top of this PR. Noticed it was still in draft, but just wanted to reach out if you needed anything from our end! |
Split attestation code into separate steps to generate and publish the signed attestation. Signed-off-by: Adam Hughes <9903835+tri-adam@users.noreply.github.com>
Add support for attestation of Singularity images. Signed-off-by: Adam Hughes <9903835+tri-adam@users.noreply.github.com>
Hey @spiffcs, apologies for the slow response... just back from some travel. Just re-based, will push that and then (assuming the tests pass) will request a review. Thanks! |
tri-adam
force-pushed
the
singularity-attest
branch
from
3498d15
to
a0e3cf3
Compare
|
@spiffcs forgot to tag you... ready for a look when you have a chance. Thanks! |
spiffcs
approved these changes
Oct 4, 2022
spiffcs
added a commit
to cpendery/syft
that referenced
this pull request
Oct 11, 2022
* main: refactor: Remove experimental Anchore Enterprise upload functionality (anchore#1257) Update syft bootstrap tools to latest versions. (anchore#1254) Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (anchore#1253) Update syft bootstrap tools to latest versions. (anchore#1244) fix apkdb checksum representation (anchore#1247) feat: add identifiable field to source object (anchore#1243) feat: attest support for Singularity images (anchore#1201) Update syft bootstrap tools to latest versions. (anchore#1239) Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (anchore#1240) fix: Follow symlinks when searching for globs in all-layers scope (anchore#1221)
spiffcs
added a commit
that referenced
this pull request
Oct 13, 2022
* main: (45 commits) feat: add RelationshipsBySourceOwnership to syft json output (#1248) fix: reset merged package into map; (#1258) refactor: Remove experimental Anchore Enterprise upload functionality (#1257) Update syft bootstrap tools to latest versions. (#1254) Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253) Update syft bootstrap tools to latest versions. (#1244) fix apkdb checksum representation (#1247) feat: add identifiable field to source object (#1243) feat: attest support for Singularity images (#1201) Update syft bootstrap tools to latest versions. (#1239) Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240) fix: Follow symlinks when searching for globs in all-layers scope (#1221) update requires to use list; remove field (#1234) Add Conan (C/C++) conan.lock file support (#1230) add sequence diagrams and flesh out TODO notes (#1233) Do not fail if unable to parse `.rpm` file (#1232) fix: support exclude patterns on Windows (#1228) Update syft bootstrap tools to latest versions. (#1225) Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224) Update syft bootstrap tools to latest versions. (#1223) ... Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
aiwantaozi
pushed a commit
to aiwantaozi/syft
that referenced
this pull request
Oct 20, 2022
spiffcs
pushed a commit
that referenced
this pull request
Oct 21, 2022
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
spiffcs
pushed a commit
that referenced
this pull request
Oct 21, 2022
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
GijsCalis
pushed a commit
to GijsCalis/syft
that referenced
this pull request
Feb 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add support for
syft attestwith Singularity images. Re-factor the attestation code to separate the steps to generate and publish the signed attestation.To test, I'm generating a test image with Singularity, for example:
Then generating a signed attestation with Syft (requires the changes in this PR):
$ syft attest --output syft-json --key cosign.key singularity:alpine.sif > attestation.json ✔ Parsed image ✔ Cataloged packages [14 packages]And finally, to verify the attestation and scan the SBOM with Grype:
Closes #1193