-
Notifications
You must be signed in to change notification settings - Fork 544
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider one-to-one mapping of an invocation to scan result #1262
Labels
enhancement
New feature or request
Comments
cc @developer-guy @Dentrax what do you think? |
+1, that makes sense! It would be better if the the spec mapped single invocation to single scanner and result. In this case |
Yeah I think that's right! |
jdolitsky
added a commit
to jdolitsky/cosign
that referenced
this issue
Jan 4, 2022
In COSIGN_VULN_ATTESTATION_SPEC, modify the "scanners" field to be a single object "scanner" (vs. an array) so that image scans are tied to a single invocation. Resolves sigstore#1262 Signed-off-by: Josh Dolitsky <josh@dolit.ski>
Hello all, attempted to resolve this in #1268 |
dlorenc
pushed a commit
that referenced
this issue
Jan 5, 2022
In COSIGN_VULN_ATTESTATION_SPEC, modify the "scanners" field to be a single object "scanner" (vs. an array) so that image scans are tied to a single invocation. Resolves #1262 Signed-off-by: Josh Dolitsky <josh@dolit.ski>
mlieberman85
pushed a commit
to mlieberman85/cosign
that referenced
this issue
May 6, 2022
In COSIGN_VULN_ATTESTATION_SPEC, modify the "scanners" field to be a single object "scanner" (vs. an array) so that image scans are tied to a single invocation. Resolves sigstore#1262 Signed-off-by: Josh Dolitsky <josh@dolit.ski>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The recent addition of the
COSIGN_VULN_ATTESTATION_SPEC
supports storing multiple scan results originating from a single invocation. I think it would be more intuitive if we encouraged folks to map a single invocation to a single scan result.This would not only make it easier to construct the payload, but easier to write and evaluate policy against as well. I think we should discourage concatenating the outputs from multiple scans in a single invocation. Doing so would be inconsistent with what
invocation
is intended to represent as far as I can tell.Constructing separate vulnerability attestations for different types of scanners makes it easier to write a process that evaluates one or more policies against them. For example, you would download a single, named vulnerability attestation and have some guarantee (or at least a reasonable expectation) that it will contain a result set of a particular schema.
Slack thread for reference: https://sigstore.slack.com/archives/C01PZKDL4DP/p1640878335099100
The text was updated successfully, but these errors were encountered: