dlorenc
dlorenc
I'm thinking of something like a SPIRE SVID/Bundle to attest that a build step was actually carried out by a particular workload, on a particular node. In the case of...
Consider translating the published threats doc to Markdown or another plain text format. That would allow others to contribute and make edits here in the repo.
We could have all the different RSS feeds wrapped up into one binary, exposed at different paths and triggered via different schedulers. Maybe something like: /npm /gems /pypi /crates etc....
Right now things are in individual GCS objects, formatted as JSON. This is easy to look at and browse, but probably not the best for querying. We could load these...
Right now our jobs run in standard Docker containers (python/node/ruby) specifically, as root users, in a k8s cluster. This is probably fairly accurate to many CI jobs. In #47, I...
https://wapm.io/ I don't think there are dynamic import issues, but still good to get into a feed!
While debugging an issue in wire I saw a github issue requesting one: https://github.com/google/wire/issues/274 We already had it packaged, so why not! ## New Image Pull Request Template ### Image...
Sigstore infrastructure might meet the needs of the binary ledger here, did you consider using it?
This could work something like: ``` 1. Go through a k8s object looking for images 2. For each image, pull do something like "cosign verify" and get all verified payloads...