Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan SBOM attestation #2614

Closed
knqyf263 opened this issue Jul 28, 2022 · 2 comments · Fixed by #2652
Closed

Scan SBOM attestation #2614

knqyf263 opened this issue Jul 28, 2022 · 2 comments · Fixed by #2652
Assignees
@otms61
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/sbom Issues relating to SBOM
Milestone
v0.31.0

Comments

@knqyf263
Copy link
Collaborator

knqyf263 commented Jul 28, 2022
edited
Loading

Trivy generates SBOM and cosign uploads it in an in-toto attestation format to OCI registry.
https://aquasecurity.github.io/trivy/dev/docs/attestation/sbom/

Also, Trivy can scan SBOM (currently CycloneDX only) for vulnerabilities.
https://aquasecurity.github.io/trivy/dev/docs/sbom/cyclonedx/

The next step is consuming the SBOM attestation and scanning it for vulnerabilities. There are some use cases as far as I know.

  1. Fetch attestation of a container image from OCI registry, extract SBOM and scan it for vulnerabilities
  2. cosign verify-attestation returns verified attestation, so Trivy takes it as input and scans it for vulnerabilities
  3. Take a local file including attestation and scan it

We may want to add a new subcommand for attestation like trivy attestation that takes attestation as input. Then, the commands for each above could be as below.

  1. $ trivy image --attest knqyf263/myapp:latest
  2. $ cosign verify-attestation --key cosign.pub knqyf263/myapp:latest | trivy attestation -
  3. $ trivy attestation ./vuln.json

Feedback is welcome.
@knqyf263 knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. scan/sbom Issues relating to SBOM labels Jul 28, 2022
@knqyf263 knqyf263 added this to the v0.31.0 milestone Aug 1, 2022
@knqyf263
Copy link
Collaborator Author

knqyf263 commented Aug 1, 2022

@otms61 Could you take it?

@otms61
Copy link
Collaborator

otms61 commented Aug 1, 2022

Alright. I will try.

@otms61 otms61 mentioned this issue Aug 2, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@otms61 otms61

Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/sbom Issues relating to SBOM
Projects
None yet
Milestone
v0.31.0
Development

Successfully merging a pull request may close this issue.

feat(sbom): add support for scanning a sbom attestation otms61/trivy
2 participants
@otms61 @knqyf263