lukehinds
commented
2 months ago cc: @calebbrown point me to any set up docs and we are happy to do the lifting from our side.
Open lukehinds opened 2 months ago
lukehinds
commented
2 months ago cc: @calebbrown point me to any set up docs and we are happy to do the lifting from our side.
calebbrown
commented
1 month ago Hi! Very happy to help integrate. There aren't many docs at the moment. I'll try and extend them to help.
In the mean time you can see some of the automated ingestion that has occurred in the past to get an idea about the structure of the OSV documents we expect.
There are some more details in the CONTRIBUTING.md doc that may help.
Regarding auth I need to document this more thoroughly too. For AWS: a key and secret for a read-only IAM account to a bucket is sufficient. They are added to GitHub as a secret and embedded in an .aws/credentials file during the workflow that ingests the content.
Please let me know if you have any specific questions or details you may need.
For the past two months, stacklok trusty has been reporting malicious packages we have detected via our analysis systems. This has been via manual PRs. We would now like to expose an S3 bucket so that we can automate reporting.
For the record packages will be human vetted before creating a report