ratify
ratify copied to clipboard
ratify-project
Artifact Ratification Framework
### What would you like to be added? Currently Ratify supports keyless verification with Cosign 1.x only. Since Cosign 2.0, keyless verification requires OIDC identities and OIDC issuers. Ratify needs...
### What would you like to be added? This issue aims to document how to track breaking changes. As discussed in the community meeting: - the PR should contain a...
### What would you like to be added? Now that we have support for rego policy provider, we should deprecate config policy provider as it is very limited and not...
### What would you like to be added? We are introducing a license deny list to the existing SBOM verifier. We are unsure if the current license checker plugin with...
### What would you like to be added? New verifiers, such as vulnerability report verifier, will allow users to pass through artifact contents in the verifier report which is embedded...
### What happened in your environment? The docs for cosign mention the default `rekorURL` is the sigstore one. However, the value is not truly default. It must be set currently....
### What would you like to be added? The ratify e2e tests use a lot of different OSS tools for artifact creation such as notation, trivy, oras, etc. We should...
### What would you like to be added? The current default behavior of ratify policies applies universally to all registries. However, there is room for improvement in terms of security...
### What would you like to be added? The error message of signature verification is not concise and actionable, see example, Example1: "verification failed: Error: referrers not found, Code: REFERRERS_NOT_FOUND,...
### What would you like to be added? Currently, Cosign defaults to use a single image tagged with sha of the reference image with a postfix of `.sig`. All signatures...