guac icon indicating copy to clipboard operation
guac copied to clipboard

Published 20 hours ago verified publisher icon guacsec

(feat) add support for attestations stored as image manifest

Open RealHarshThakur opened this issue 2 years ago • 6 comments

Description of the PR

Currently, guac only works with certain OCI images. Build tools store attestations in a variety of ways as of now and it might take them a while to adopt to using referrers. As of now, Docker stores the attestation in an image manifest and it would be wonderful for GUAC to support that as docker is a popular tool for building containers. I'm not entirely sure if this is the right way to implement this, I'd appreciate any feedback to make this change a reality.

PR Checklist

  • [x] All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • [ ] All new changes are covered by tests
  • [ ] If GraphQL schema is changed, make generate has been run
  • [ ] If collectsub protobuf has been changed, make proto has been run
  • [ ] All CI checks are passing (tests and formatting)
  • [ ] All dependent PRs have already been merged

RealHarshThakur avatar Nov 10 '23 16:11 RealHarshThakur

Hi @RealHarshThakur thanks for the PR! This is actually something I created an issue on #1370 so it's great to see somebody picking up this work. There is a bit of overlap here with #1449 which I believe will also cover collection of these types of attestations. But, this change also will move away from regclient to google/go-containerregistry as the library to access OCI packages. The community is discussing this change in #1456. Don't take it as a reason to stop further work on this - just wanted to bring you up to speed on this topic :)

ridhoq avatar Nov 10 '23 22:11 ridhoq

My bad 😓 I had it on my todo list before the issue was created and just found this weekend to hack on it. From skimming the other PR, I think one way to move forward would be for me to refactor this PR to focus on processor and parser. Essentially, all changes to introduce DocumentITE6SPDX.

RealHarshThakur avatar Nov 10 '23 23:11 RealHarshThakur

This pull request has been automatically marked as stale because it has not had recent activity (60 days of inactivity). It will be closed in 30 days if no further activity occurs. Thank you for your contribution!

stale[bot] avatar Jan 13 '24 14:01 stale[bot]

sorry for delay, I'll try to make some time this month

RealHarshThakur avatar Jan 15 '24 18:01 RealHarshThakur

This pull request has been automatically marked as stale because it has not had recent activity (60 days of inactivity). It will be closed in 30 days if no further activity occurs. Thank you for your contribution!

stale[bot] avatar Mar 15 '24 19:03 stale[bot]

Adding comment to ensure this does not close.

pxp928 avatar Mar 26 '24 21:03 pxp928

This pull request has been automatically marked as stale because it has not had recent activity (60 days of inactivity). It will be closed in 30 days if no further activity occurs. Thank you for your contribution!

stale[bot] avatar May 26 '24 00:05 stale[bot]

This pull request has been automatically closed because there has been no activity for 90 days. Please feel free to reopen it (or open a new one) if the proposed change is still appropriate. Thank you for your contribution!

stale[bot] avatar Jun 25 '24 00:06 stale[bot]