in-toto Attestation Framework Output #6208
Labels
contribution requested
This is a great feature idea, but we will need a contribution to get it added to Checkov.
enhancement
New feature or request
outputs
Describe the issue
We're using Checkov and interested in a different output format. We'd like the data to follow the in-toto Attestation Specification. In-toto has a vulnerability predicate type that can be seen here; https://github.com/in-toto/attestation/blob/main/spec/predicates/vuln.md
The full in-toto Attestation spec can be seen here; https://github.com/in-toto/attestation/tree/main/spec
This format is used for signed metadata related to more than just security scans. It's useful for analyzing what occurred during a software pipeline.
The in-toto tooling is under the CNCF, which is part of the Linux Foundation.
Trivy supports this output, so adding it to Checkov would be a great addition. We have some dev resources that can assist with this, most likely.
The text was updated successfully, but these errors were encountered: