provide vulnerability attestation based on cosign vuln spec #1646

developer-guy · 2022-01-31T06:37:10Z

In cosign, we (w/@Dentrax @dlorenc) worked on generating a spec for vulnerabilities¹ and ended up having something like the following 👇
https://github.com/sigstore/cosign/blob/main/specs/COSIGN_VULN_ATTESTATION_SPEC.md

So, I thought it'd be nice to adapt it to Trivy, and maybe we can enable this support with a flag --attestation <PATH>.

The text was updated successfully, but these errors were encountered:

knqyf263 · 2022-01-31T17:48:39Z

Thanks. Sounds interesting.

developer-guy · 2022-02-01T08:44:02Z

I can work on this, feel free to assign it to me 🙋🏻‍♂️

knqyf263 · 2022-02-01T08:47:47Z

Great to hear that! Could you share how it works before you start working on it?

knqyf263 · 2022-07-13T18:01:15Z

knqyf263 · 2022-07-20T07:13:33Z

@otms61 Could you work on it?

otms61 · 2022-07-20T09:17:44Z

@knqyf263 Alright. I will try.

developer-guy added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 31, 2022

knqyf263 added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Jan 31, 2022

knqyf263 assigned developer-guy Feb 1, 2022

knqyf263 added this to the v0.31.0 milestone Jul 15, 2022

knqyf263 unassigned developer-guy Jul 20, 2022

knqyf263 assigned otms61 Jul 20, 2022

masahiro331 mentioned this issue Jul 20, 2022

feat(spec): remove invocate in vuln predicate sigstore/cosign#2069

Closed

otms61 mentioned this issue Jul 21, 2022

feat(report): add support for Cosign vulnerability attestation #2567

Merged

6 tasks

knqyf263 closed this as completed in #2567 Jul 27, 2022

Provide feedback