Dustin Ingram
Dustin Ingram
While most advisories are automatically generated, occasionally they will be hand-written (e.g. https://github.com/pypa/advisory-database/pull/72/). It would be nice to add some basic linting that ensures files are correctly formatted and have...
For example, CVE-2022-24761/GHSA-4f7p-27jc-3c36 was published 5 days ago but is not present here.
## In which file did you encounter the issue? https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/functions/helloworld/sample_http_test_integration.py ## Describe the issue Based on issues described in https://github.com/GoogleCloudPlatform/functions-framework-python/issues/97, there is a simpler / less brittle integration test we...
**Description** Similar to #243, CircleCI supports OIDC tokens: https://circleci.com/docs/2.0/openid-connect-tokens/ ~Also similar to #243, the `aud` is not customizable: https://circleci.canny.io/cloud-feature-requests/p/customizable-audience-claim-in-oidc-tokens~ The `aud` is now customizable: https://circleci.com/docs/oidc-tokens-with-custom-claims/
**Description** @asraa pointed out to me that in at least one instance, the transparency log entry that corresponds to the index we received during one of our staging tests does...
**Description** I'd like to explore a format for a "verification configuration bundle". This would be: * a single human-readable file (probably JSON) * with a specific extension (like `.sigstore`) *...
In #114 @woodruffw raised that this file may become stale on new releases. To resolve this and provide a tighter feedback loop on a release -> update, we could -...
Cosign supports 'ambient credential detection' for a number of environments where OIDC identities are available by default. We should also similarly support: - [x] GitHub Actions (#59) - [x] Google...
**Description** Similar to `cosign`'s `--bundle` flag, we should support generating offline Rekor bundles as well: E.g. from `cosign`: ``` --bundle string write everything required to verify the blob to a...
On my profile page, I have notifications that say "User `` forked your project `` or "User `` starred your project ``, however sometimes these notifications are not about actual...