Matthias Glastra
Matthias Glastra
I noticed that the in-toto/witness project had a nice issue and PR template set. Would it be wise to copy those over to the in-toto/go-witness project too? If thats helpful...
After some investigation I found that the Attest part of the Product attestor does not exclude or include items specifically. It is taking into account the items when building the...
Implementation of #3121. Open for feedback and input. These are some initial commits to add SLSA Provenance output based on in-toto attestations. I'm personally involved with in-toto project. The implementation...
**Describe the solution you'd like:** Add support for creating dirhash for subjects/products as described in the in-toto attestation spec for the digestset ([here](https://github.com/in-toto/attestation/blob/main/spec/v1/digest_set.md#dirhash)). **User value:** This functionality would allow us...
## What this PR does / why we need it Implementing obfuscation of environment variables. Capturing secret values like tokens and api keys is a security risk and attestation should...
**Describe the solution you'd like:** When hashing 10000's of files small and big for both material an product it takes time. Currently the hashing is done in serial while parallel...
## Problem Witness relies as a dependency on go-witness. Some of the commands/attestors that are run are dependent on flags that are set thru global flag on the CLI. This...
## What this PR does / why we need it Add install tutorial with cosign check. This allows people to install and verify the witness release. The additional pem output...
What I notice is that its only possible to assemble while settings the primary tags or the config and this is a limitation. What I am looking for is to...
It would be great to be able to use the purl as the bom-ref if it exists. Its unique in a bom in general and I see this pattern in...