search

chainguard-images / actions

GitHub actions for the chainguard-images
Apache License 2.0
17 stars 22 forks source link

Use cosign 1.8.0 and `verify-attestation` for vulnz checking #7

Closed mattmoor closed 1 year ago

mattmoor commented 2 years ago

Opening this to track integrating @vaikas work to use Cue + verify-attestation in cosign 1.8 to check scan results for vulnerabilities.

I think we should support taking a Cue policy input, and default it to roughly match today's semantics as an example.

mattmoor commented 2 years ago

This TODO: https://github.com/distroless/actions/blob/5bcffcc38b54ed221e02a502ff900aa039a1bdb8/apko-snapshot/action.yaml#L141

strongjz commented 2 years ago

https://github.com/distroless/actions/pull/20

strongjz commented 2 years ago

https://github.com/distroless/actions/pull/33

jdolitsky commented 1 year ago

closing as old/inactive. please re-open if necessary