Support for Adding Attestation to Containers Using COSIGN Vulnerability Attestation Specification

[timbastin]

To enhance the security and trustworthiness of containers scanned by "FlawFind", it is proposed to implement a feature that adds an attestation to each container. This attestation, based on the COSIGN Vulnerability Attestation specification, will serve as a verifiable declaration of the container's security status, including details of any vulnerabilities found during the scan.

Why is this important?

1. Trust and Verification: By attaching a COSIGN attestation to containers, "FlawFind" will enable downstream users and systems to verify the security status of containers in a standardized and trustworthy manner.
2. Automation-Friendly: The attestation is machine-readable, allowing for automated security policies and decision-making processes based on the attested information.
3. Standardization: Utilizing the COSIGN Vulnerability Attestation specification aligns "FlawFind" with industry standards, promoting interoperability and the adoption of best practices in container security.

Feature Request:

• Develop functionality within "FlawFind" to generate a COSIGN attestation after each container scan, detailing the findings in accordance with the COSIGN Vulnerability Attestation specification. The attestation should include comprehensive information about detected vulnerabilities, such as their identifiers (e.g., CVE numbers), descriptions, severity levels, and any available remediation steps.
• Ensure that the attestation can be easily associated with the corresponding container image, for example, by using container image digests as part of the attestation data.
• Provide documentation and guidance for users on how to verify the attestations and integrate this verification process into their CI/CD pipelines or container deployment workflows.

Here are some additional information: https://github.com/sigstore/cosign/blob/main/specs/COSIGN_VULN_ATTESTATION_SPEC.md