Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds autodiscovery capabilities to the VEX processor when scanning container images.
The discovery feature is disabled by default, this PR proposes a new
--vex-autodiscover
flag that starts the autodiscover flow when set.The whole autodiscover logic is performed by the
openvex/discovery
module. It looks for OpenVEX attestations attached using the sigstore attestation spec to the container image being scanned. If any are found, they are retrieved from the image registry and any applicable OpenVEX statements are added to the VEX history computation. In other words, any documents found attached to the image are mixed with those specified via the command line with--vex
.This implements most of 3 & 4 of our plan outlined in #1365
At this time we are not performing any signature verification or lookups in other registries.
Signed-off-by: Adolfo Garcia Veytia (puerco) [email protected]