vex
vex copied to clipboard
chainguard-dev
vexctl is a tool to attest VEX impact statements
We need to write an action to enable attesting an image right after building new container images. The idea is that you can add a step to any pipeline that...
Tutorial
I think we should add a tutorial to demo filtering and the whole flow end to end. We should add examples of scanner invocations. Some sample documents, maybe also publish...
Let's finish support for reading vex data from CycloneDX documents https://github.com/chainguard-dev/vex/issues/2#tasklist-block-133c5585-7876-4b84-90cc-0171d439df8c
Our internal vex format should be documented. It is most likely due to change as we start using the tool but we need to show to write one now.
While attestations are done and the code to sign and attach them is ready, using them is not finished yet.
If you specify sign=false and try to attach the unsigned attestation to an image, it will most likely fail as we have code to unmarshal the dsse envelope but not...
We should create a bunch of diagrams to illustrate how the whole image flow works
Currently, we read the known VEX data for a project from a simple file. At some point I think we should store it in the registry using a schema that...
Currently, to attest VEX data in an image, we point `vexctl` to a file containing the known VEX info for a project. We should think of a way to trust...
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.5.0. Release notes Sourced from actions/checkout's releases. v3.5.0 What's Changed Add new public key for known_hosts by @cdb in actions/checkout#1237 New Contributors @cdb made their...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Metadata
Owner
Metadata
vexctl is a tool to attest VEX impact statements