checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

in-toto Attestation Framework Output

Open Forrin opened this issue 10 months ago • 2 comments

Describe the issue

We're using Checkov and interested in a different output format. We'd like the data to follow the in-toto Attestation Specification. In-toto has a vulnerability predicate type that can be seen here; https://github.com/in-toto/attestation/blob/main/spec/predicates/vuln.md

The full in-toto Attestation spec can be seen here; https://github.com/in-toto/attestation/tree/main/spec

This format is used for signed metadata related to more than just security scans. It's useful for analyzing what occurred during a software pipeline.

The in-toto tooling is under the CNCF, which is part of the Linux Foundation.

Trivy supports this output, so adding it to Checkov would be a great addition. We have some dev resources that can assist with this, most likely.

Forrin avatar Apr 24 '24 19:04 Forrin

Hey @Forrin We have a contribution PR for this - https://github.com/bridgecrewio/checkov/pull/6488 Do you want to take a look? Thanks.

ChanochShayner avatar Jul 15 '24 14:07 ChanochShayner

Hey @Forrin We have a contribution PR for this - #6488 Do you want to take a look? Thanks.

Sure, I'll take a look in a bit.

Forrin avatar Jul 18 '24 18:07 Forrin