New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scan SBOM attestation in Rekor #2702
Comments
Assigned to @otms61 |
Alright. I'll try. |
Regarding the UX, the PR uses this format: |
makes sense, thanks for the detailed response. Also, what do you think about making this behavior on by default? if the service is unavailable/sbom doesn't exist it will still work. |
Ah yes, nice catch. What if specifying the attestation places via flag like
It is too much 😄 , but this is what was in my mind.
Yes, that is my plan. But attestations in Rekor is not mature and I guess they will add some more breaking changes. We will add a flag experimentally at the moment, then once it gets stable, we will change it the default behavior. |
ok so if I'm thinking about this through,
so perhaps there's a service connection defined. I connect to my OCI registry, I call it "myreg" and in this connection I define all required information that's specific to this registry service. Ideally I would do this in the trivy config file, but for the sake of consistency all config file options could be configured as flags. additionally the common ("official") services are preconfigured in trivy like docker hub and rekor. Also, perhaps renaming the flag name to |
What do those flags look like? FYI: Cosign can customize the Rekor URL via
|
we've discussed this offline and agreed to support just one instance of every type (with predefined ordering between providers). no need to over-engineer this yet |
Description
SBOM attestation can be stored in Rekor and searched by digest such as image digest. If an image has an SBOM attestation in Rekor, we'll use it instead of scanning the image itself.
The text was updated successfully, but these errors were encountered: