sign vulnerability attestation before saving it to the disk #2758
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
developer-guy
added
the
kind/feature
|
What if we pass attestations via pipe? Then, all security scanners don't have to re-implement cosign functionalities. |
|
Quoted from @znewman01:
COSIGN_EXPERIMENTAL=1 cosign attest \
--type vuln \
--predicate <(trivy image -f cosin-vuln <IMAGE>) \
<IMAGE> |
|
But also note @developer-guy's PR to accept That's a better long-term solution 😄 |
|
Looks like @developer-guy'S PR got merged. Thanks for your help. |
|
We should probably update the docs still |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We (w/@Dentrax) thought there was a slight time window that the attacker could gain access to the system and changes the content of the vulnerability attestation before you sign and upload it to the registry. A similar problem has been addressed in the Syft project for SBOM attestations1. So, we should sign the vulnerability attestation before saving it to the disk.
If you like the idea, we are willing to do that, and please share your thoughts, thanks.
cc: @knqyf263 @itaysk
Footnotes
https://anchore.com/sbom/creating-sbom-attestations-using-syft-and-sigstore/ ↩
The text was updated successfully, but these errors were encountered: