Provide vulnerability attestation based on cosign vuln spec #614
Comments
|
Thanks @developer-guy! It'd be neat to produce vulnerability attestations in Grype. 🚀 Before we proceed, I'd like to better understand the spec and the thinking behind it. I've opened an issue in Cosign: sigstore/cosign#1381 |
spiffcs
changed the title
|
Kind ping here 🤞 We would like to help if any help is wanted. |
|
Thanks @Dentrax — we're waiting for those questions around Cosign's attestation spec to be cleared up before we implement something here in Grype. |
|
Added the blocked label until questions from 1381 are resolved. |
spiffcs
added
needs-discussion
and removed
blocked
|
This is now unblocked and there is a specification to follow I've added a label for this so we can discuss it on our livestream for the next Thursday meeting: |
|
Hey! We discussed this during the latest live stream (from around 20-40 mins). There was some feeling of resistance to adding cosign as a library in grype, given past experience doing the same in syft. We feel it's probably going to be too costly to integrate cosign into our project in terms of significantly increasing build time and binary size. The preference would be for there to be better documentation of how calling cosign is done effectively after grype has run. A well-maintained recipe might be all that's needed from our perspective. Where that recipe lives is up for debate. We also discussed the possibility of integrating cosign as a step in our GitHub actions to automate the attestation of the results of the scan-action / grype run. |
|
Thanks for the update. There was a tracking issue related to dependency tree: sigstore/cosign#1462 Also this project might helpful to provide basic operations without having lots of deps: https://github.com/sigstore/sigstore-go |
What would you like to be added:
Why is this needed:
In cosign, we (w/@Dentrax @dlorenc) worked on generating a spec for vulnerabilities1 and ended up having something like the following 👇
https://github.com/sigstore/cosign/blob/main/specs/COSIGN_VULN_ATTESTATION_SPEC.md
So, I thought that it'd be nice to adapt it to Grype, maybe we can enable this support with a flag
--attestation <PATH>.Additional context:
Footnotes
https://github.com/sigstore/cosign/issues/442 ↩
The text was updated successfully, but these errors were encountered: