read attestation from stdin in attest cmd

[developer-guy]

Description

We(w/@Dentrax)'ve opened an issue in the Trivy project related to the signing attestation before saving it to the disk.¹ A similar work has also been done in the Syft project.² Thanks to @knqyf263, he came up with an interesting idea, if we pass attestations via a pipe in attest cmd, then all security scanners don't have to re-implement cosign functionalities. So, the UX would be like the following:

trivy image -f cosin-vuln <IMAGE> | COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate - <IMAGE>

This makes a lot of sense to me, so I've raised an issue in Cosign to discuss further; if you like the idea, I'm willing to work on it, thanks.

Footnotes

1. https://github.com/aquasecurity/trivy/issues/2758 ↩

2. https://github.com/anchore/syft/pull/785 ↩

[znewman01]

FWIW you can do this today in bash or zsh (though not sh) with process substitution:

COSIGN_EXPERIMENTAL=1 cosign attest \
    --type vuln \
    --predicate <(trivy image -f cosin-vuln <IMAGE>) \
    <IMAGE>

That said, I still think accepting - is convenient and a good idea.