-
Notifications
You must be signed in to change notification settings - Fork 530
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: attest support for Singularity images #1201
Conversation
6796ced
to
b0a8133
Compare
b0a8133
to
3498d15
Compare
Hey @tri-adam! I saw all the checks have passed for this - do you want a review or did you have more to add on top of this PR. Noticed it was still in draft, but just wanted to reach out if you needed anything from our end! |
Split attestation code into separate steps to generate and publish the signed attestation. Signed-off-by: Adam Hughes <9903835+tri-adam@users.noreply.github.com>
Add support for attestation of Singularity images. Signed-off-by: Adam Hughes <9903835+tri-adam@users.noreply.github.com>
Hey @spiffcs, apologies for the slow response... just back from some travel. Just re-based, will push that and then (assuming the tests pass) will request a review. Thanks! |
3498d15
to
a0e3cf3
Compare
@spiffcs forgot to tag you... ready for a look when you have a chance. Thanks! |
* main: refactor: Remove experimental Anchore Enterprise upload functionality (anchore#1257) Update syft bootstrap tools to latest versions. (anchore#1254) Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (anchore#1253) Update syft bootstrap tools to latest versions. (anchore#1244) fix apkdb checksum representation (anchore#1247) feat: add identifiable field to source object (anchore#1243) feat: attest support for Singularity images (anchore#1201) Update syft bootstrap tools to latest versions. (anchore#1239) Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (anchore#1240) fix: Follow symlinks when searching for globs in all-layers scope (anchore#1221)
* main: (45 commits) feat: add RelationshipsBySourceOwnership to syft json output (#1248) fix: reset merged package into map; (#1258) refactor: Remove experimental Anchore Enterprise upload functionality (#1257) Update syft bootstrap tools to latest versions. (#1254) Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253) Update syft bootstrap tools to latest versions. (#1244) fix apkdb checksum representation (#1247) feat: add identifiable field to source object (#1243) feat: attest support for Singularity images (#1201) Update syft bootstrap tools to latest versions. (#1239) Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240) fix: Follow symlinks when searching for globs in all-layers scope (#1221) update requires to use list; remove field (#1234) Add Conan (C/C++) conan.lock file support (#1230) add sequence diagrams and flesh out TODO notes (#1233) Do not fail if unable to parse `.rpm` file (#1232) fix: support exclude patterns on Windows (#1228) Update syft bootstrap tools to latest versions. (#1225) Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224) Update syft bootstrap tools to latest versions. (#1223) ... Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Add support for
syft attest
with Singularity images. Re-factor the attestation code to separate the steps to generate and publish the signed attestation.To test, I'm generating a test image with Singularity, for example:
Then generating a signed attestation with Syft (requires the changes in this PR):
$ syft attest --output syft-json --key cosign.key singularity:alpine.sif > attestation.json ✔ Parsed image ✔ Cataloged packages [14 packages]
And finally, to verify the attestation and scan the SBOM with Grype:
Closes #1193