wolfictl icon indicating copy to clipboard operation
wolfictl copied to clipboard

Published 20 hours ago verified publisher icon wolfi-dev

cmd/advisory: sign the output file during export to verify later from consumers

Open Dentrax opened this issue 1 year ago • 0 comments

Description

In the advisories repo, we currently does not sign the security.json artifact ^0 that generated in build-and-publish-secdb.yaml action. This file is exists to be consumed by scanner DB pipelines.

The idea is to generate signed-output so that consumers (i.e., Trivy, Grype) would verify it later on. (By adding support for that.)

Dropping the idea here so we don't forget!

/cc @luhring @developer-guy

Dentrax avatar Jul 03 '23 11:07 Dentrax