Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/advisory: sign the output file during export to verify later from consumers #282

Open
Dentrax opened this issue Jul 3, 2023 · 0 comments
Open

cmd/advisory: sign the output file during export to verify later from consumers #282

Dentrax opened this issue Jul 3, 2023 · 0 comments
Labels
enhancement New feature or request needs-triage applied to all new customer/user issues. Removed after triage occurs.

Comments

@Dentrax
Copy link
Member

Dentrax commented Jul 3, 2023

Description

In the advisories repo, we currently does not sign the security.json artifact 1 that generated in build-and-publish-secdb.yaml action. This file is exists to be consumed by scanner DB pipelines.

The idea is to generate signed-output so that consumers (i.e., Trivy, Grype) would verify it later on. (By adding support for that.)

Dropping the idea here so we don't forget!

/cc @luhring @developer-guy

Footnotes

  1. https://github.com/wolfi-dev/advisories/blob/d9c3b43ed002e3027779cca9caa4084a1f7ec69e/.github/workflows/build-and-publish-secdb.yaml#L43

@Dentrax Dentrax added enhancement New feature or request needs-triage applied to all new customer/user issues. Removed after triage occurs. labels Jul 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request needs-triage applied to all new customer/user issues. Removed after triage occurs.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Dentrax