Pete Wagner

Results 12 comments of Pete Wagner

github action for kubeaudit to generate sarif results

This could also just be documentation: we can write a sample workflow that fetches kubeaudit via `curl` and invokes it via `bash`. Wrapping the functionality as an Action(TM) is just...

Add support for user provided content "hints" file

Is CycloneDX the expected input format? (and if so, is this just a dupe of #737 ?) I'm considering containers like [eclipse-temurin:17-jre-alpine](https://github.com/adoptium/containers/blob/main/17/jdk/alpine/Dockerfile.releases.full), which fetch a trusted binary that existing catalogers...

Add support for user provided content "hints" file

We're using https://github.com/shopify/hansel as a hack today. For deb/apk/rpm-based distributions it generates empty packages that serve as simple hints: name+version. If there's a way we can accept+encode custom CPEs in...

Ensure CPE generated correctly for the Node.js Redis client

> It's the other generated CPEs that don't include the "node.js" target_sw field that can result in false-positives. This is the problem that brought me here: * https://www.npmjs.com/package/through currently generates...

Manually trigger an update for a specific dependency

👋 thanks for the cool idea! Today you can trigger Dependabot manually in the "Insights -> Dependency Graph -> Dependabot" section of your repository, but as noted this can't be...

Manually trigger an update for a specific dependency

@techieshark you can push the updates to the `.github/dependabot.yaml` in order to trigger version updates immediately: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates Having repository A push the configuration file in repository B will update _all_...

Support a one-way encryption scheme

Apologies for potential necromancy, like everyone else this always comes up as a blocker for SOPS adoption in my organization. The solution I came up with is layering SOPS files:...

Make and promote recommended and shareable presets like in eslint, tslint

https://github.com/golangci/golangci-lint/issues/2137 is perhaps related, especially when this idea gets into shared presets like `airbnb-eslint`.

gh attestation verify fails with a reusable workflow.

> This is because the reusable workflow is where the build provenance attestation is created. Understood, a different error message will help. FWIW, that model surprised me. My assumption was...

gh attestation verify fails with a reusable workflow.

@phillmv I think the claim calls it `job_workflow_ref`, so I have the burden of knowledge to want to call it that. A flag sounds great! My goal is to provide...