New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VEX Autodiscovery! #1619
Open
puerco
wants to merge
7
commits into
anchore:main
Choose a base branch
from
puerco:vex-discovery
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
VEX Autodiscovery! #1619
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@wagoodman : please let me know what you think about the approach I'm taking. Let's also discuss adding the audit trail to the raw json scan results. |
puerco
force-pushed
the
vex-discovery
branch
6 times, most recently
from
November 29, 2023 06:08
f485f18
to
180c951
Compare
This commit imports the openvex autodiscovery module Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commits adds a new vex-autodiscover option that enables the VEX discovery mechanism. It is exposed as a flag, in the config file or via an environment variable. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
This commit replaces the internal logic that computes software identifiers from images and delegates it to the OpenVEX OCI module. Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
The generation of identifiers is now handled by the openvex discovery module so we drop it from the vex processor implementation and also delete the test file. Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
As we now delegate the generation of identifiers to the openvex libraries, we pass the user input string verbatim instead of using the stereoscope reference in the tests. Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
Hi @puerco, I had a look through this and I think it looks pretty good. Is there a possibility of adding some sort of test for this, though? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds autodiscovery capabilities to the VEX processor when scanning container images.
The discovery feature is disabled by default, this PR proposes a new
--vex-autodiscover
flag that starts the autodiscover flow when set.The whole autodiscover logic is performed by the
openvex/discovery
module. It looks for OpenVEX attestations attached using the sigstore attestation spec to the container image being scanned. If any are found, they are retrieved from the image registry and any applicable OpenVEX statements are added to the VEX history computation. In other words, any documents found attached to the image are mixed with those specified via the command line with--vex
.This implements most of 3 & 4 of our plan outlined in #1365
At this time we are not performing any signature verification or lookups in other registries.
Signed-off-by: Adolfo Garcia Veytia (puerco) puerco@chainguard.dev