You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The next step is consuming the SBOM attestation and scanning it for vulnerabilities. There are some use cases as far as I know.
Fetch attestation of a container image from OCI registry, extract SBOM and scan it for vulnerabilities
cosign verify-attestation returns verified attestation, so Trivy takes it as input and scans it for vulnerabilities
Take a local file including attestation and scan it
We may want to add a new subcommand for attestation like trivy attestation that takes attestation as input. Then, the commands for each above could be as below.
Trivy generates SBOM and cosign uploads it in an in-toto attestation format to OCI registry.
https://aquasecurity.github.io/trivy/dev/docs/attestation/sbom/
Also, Trivy can scan SBOM (currently CycloneDX only) for vulnerabilities.
https://aquasecurity.github.io/trivy/dev/docs/sbom/cyclonedx/
The next step is consuming the SBOM attestation and scanning it for vulnerabilities. There are some use cases as far as I know.
We may want to add a new subcommand for attestation like
trivy attestation
that takes attestation as input. Then, the commands for each above could be as below.$ trivy image --attest knqyf263/myapp:latest
$ cosign verify-attestation --key cosign.pub knqyf263/myapp:latest | trivy attestation -
$ trivy attestation ./vuln.json
Feedback is welcome.
The text was updated successfully, but these errors were encountered: