New command `init` to auto-generate template witness yaml file

in-toto / witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

https://witness.dev

Apache License 2.0

416 stars 60 forks source link

New command `init` to auto-generate template witness yaml file #347

Closed ChaosInTheCRD closed 10 months ago

ChaosInTheCRD commented 11 months ago

a quick pr to allow the user to automatically generate a witness.yml file with empty values for the purpose of easing the process of creating them. This should also encourage the use of the witness.yml file.

I have also added some code to the docgen/docs.go file so that updates to the schema can be autotemplated in.

the init command name is of course subject to change depending on peoples thoughts on what the command name should be, as well as the decision to even have this functionality merged upstream.

colek42 commented 11 months ago

This is related to the second point in this security issue. https://github.com/in-toto/witness/issues/268.

See this security advisory for in-toto: https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf

I think we could mitigate by forcing a -c flag for the config file location

ChaosInTheCRD commented 10 months ago

At the moment it does not seem clear as to how this PR fits in with the structure of the CLI. Therefore, I am going to close this draft PR, but I will create an issue that references the work with the desire to add functionality for auto-generating witness config files.