harsimranmaan
commented
2 weeks ago Would be nice to generate SBOMs and attestations for each release too
Open caroline-suse-rancher opened 2 weeks ago
harsimranmaan
commented
2 weeks ago Would be nice to generate SBOMs and attestations for each release too
In an effort to improve our rate of dependency bumps and CVE fixes, we would like more visibility into our scan results on each PR to the k3s project. This will likely involve a new GHA or something to that effect to expose the results of our CVE scans (right now we use Trivy) for each PR. That way we can evaluate what needs to be done on a release to release basis to mitigate CVEs.