Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: vuln attest support #1168

Merged
merged 1 commit into from
Dec 21, 2021
Merged

feat: vuln attest support #1168

merged 1 commit into from
Dec 21, 2021

Conversation

developer-guy
Copy link
Member

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com

Summary

Users might upload vulnerability scan results in form of attestation within the OCI registry

Ticket Link

Fixes #442

Release Note

feat: vuln attest support

@dlorenc
Copy link
Member

dlorenc commented Dec 11, 2021

Looks good, the lint errors should be easy!

dlorenc
dlorenc reviewed Dec 11, 2021
View reviewed changes
pkg/cosign/attestation/attestation.go
Metadata Metadata `json:"metadata"`
}

type Invocation struct {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably also add a README in here under specs/ that describes all of these fields in detail and how they should be used.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly! This is the next that we are going to do🤝

@developer-guy
Copy link
Member Author

hey @dlorenc, I know spec documentation is not perfect but we tried to do our best, can you please review it, thanks in advance 🤝

@developer-guy
Copy link
Member Author

kindly ping @dlorenc

@developer-guy @Dentrax
feat: vuln attest support
0384b93 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
@dlorenc
Copy link
Member

dlorenc commented Dec 20, 2021

kindly ping @dlorenc

Sorry missed this because of the WIP in the title. Is it ready for a merge?

@developer-guy
Copy link
Member Author

I think yes, but it'd be nice if you can review it one more time I guess.

@developer-guy developer-guy changed the title WIP: feat: vuln attest support feat: vuln attest support Dec 20, 2021
@dlorenc dlorenc merged commit 3dd690e into sigstore:main Dec 21, 2021
@dlorenc
Copy link
Member

dlorenc commented Dec 21, 2021

LGTM!

@github-actions github-actions bot added this to the v1.5.0 milestone Dec 21, 2021
developer-guy added a commit to developer-guy/cosign that referenced this pull request Dec 21, 2021
@developer-guy @Dentrax
feat: vuln attest support (sigstore#1168)
f2d5299 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
developer-guy added a commit to developer-guy/cosign that referenced this pull request Dec 21, 2021
@developer-guy @Dentrax
feat: vuln attest support (sigstore#1168)
fea53dd 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Jan 25, 2022
@bmwiedemann
Update cosign to version 1.5.0 / rev 2 via SR 949015
779bc4c 
https://build.opensuse.org/request/show/949015
by user msmeissn + dimstar_suse
- updated to 1.5.0
  ## Highlights
  * enable sbom generation when releasing (sigstore/cosign#1261)
  * feat: log error to stderr (sigstore/cosign#1260)
  * feat: support attach attestation (sigstore/cosign#1253)
  * feat: resolve --cert from URL (sigstore/cosign#1245)
  * feat: generate/upload sbom for cosign projects (sigstore/cosign#1237)
  * feat: vuln attest support (sigstore/cosign#1168)
  * feat: add ambient credential detection with spiffe/spire (sigstore/cosign#1220)
  * feat: generate/upload sbom for cosign projects (sigstore/cosign#1236)
  * feat: implement cosign download attestation (https
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.

Determine attestation format for vuln scans
2 participants
@developer-guy @dlorenc