v4.0.0

BREAKING CHANGES

• post-build-attest is no longer a supplied workflow. We simply suggest removing every instance of this workflow from your own workflows.
• image_url is no longer a valid input for the run-terraform. This can be safely removed without adding anything else.

Features to note

• Binary Authorization - Binauth has been completely removed from all workflows, which removes the need for post-build-attest. Binauth was found to not be mature enough for our needs, and we are looking into other options for image provenance and signing.
• Customize security level - When running the workflow run-security-scans you are now able to add the new input allow_severity_level. This input takes one of the following inputs critical, high, medium, which denotes the highest level of severity that can occur on a scan while still allowing the security scan to pass without errors.
• Terraform destroy plan - When running run-terraform with the destroy: true input, you now get a plan for this destruction during the terraform plan step.
• Easier branch input - Using the deploy-on flag in run-terraform now allows for using only the branch name and not the full github reference.

(The last two features are from older versions, but have not been announced)

What's Changed

• [SKIP-906] Allow customization of RSS severity by @anderssonw in #48
• [SKIP-851] Binauth attestation redux by @anderssonw in #46
• Fixed typos in run-security-scans.yml by @lislei in #51
• Bump aquasecurity/trivy-action from 0.8.0 to 0.9.0 by @dependabot in #52
• [SKIP-667] Image digest output by @anderssonw in #53
• Updates README to better reflect new Binauth changes by @anderssonw in #50
• Bump aquasecurity/trivy-action from 0.9.0 to 0.9.1 by @dependabot in #55
• Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2 by @dependabot in #56
• [SKIP-1008] Remove binauth by @anderssonw in #57

New Contributors

• @lislei made their first contribution in #51

Full Changelog: v3.1.3...v4.0.0