cmd/advisory: sign the output file during export to verify later from consumers #282
Labels
enhancement
New feature or request
needs-triage
applied to all new customer/user issues. Removed after triage occurs.
Description
In the advisories repo, we currently does not sign the
security.json
artifact 1 that generated inbuild-and-publish-secdb.yaml
action. This file is exists to be consumed by scanner DB pipelines.The idea is to generate signed-output so that consumers (i.e., Trivy, Grype) would verify it later on. (By adding support for that.)
Dropping the idea here so we don't forget!
/cc @luhring @developer-guy
Footnotes
https://github.com/wolfi-dev/advisories/blob/d9c3b43ed002e3027779cca9caa4084a1f7ec69e/.github/workflows/build-and-publish-secdb.yaml#L43 ↩
The text was updated successfully, but these errors were encountered: