-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add attests, provenance and sbom inputs #746
add attests, provenance and sbom inputs #746
Conversation
5b413ac
to
4f54113
Compare
name: Print provenance | ||
if: matrix.target == 'binary' | ||
run: | | ||
cat /tmp/buildx-build/provenance.json | jq |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we also do some basic content validation for a build parameter and sbom pkg for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean schema validation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think we can add this as a follow-up?
4f54113
to
4d0c6f6
Compare
I am using this action in our workflows to build. I am discovering that ECR does not like the attestation layers pushed when security scanning is enabled on a repository. It results in a |
4d0c6f6
to
f67019b
Compare
0b44db1
to
41b908e
Compare
d4e437d
to
e67d7f8
Compare
e67d7f8
to
a0cfe1a
Compare
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
a0cfe1a
to
223ed1e
Compare
Is it because it cannot scan these indexes? Do you have more logs?
That's correct, you might need to set |
I believe it is because it doesn't understand what these SBOM layers are so it just leaves them as I have a feeling ECR is just behind the 8-ball on this and needs to update their registry to properly support these provenance/SBOM layers. For the time being maybe I can just turn it off after this update is merged? Here's an example of the CI job:
Here's what it looks like in ECR:
|
@crazy-max how can I properly set
it doesn't seem to work.
|
@nanake Thanks for your report, will fix that. |
No description provided.