-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(general): In toto output format #6488
base: main
Are you sure you want to change the base?
feat(general): In toto output format #6488
Conversation
Hi @SaraWeinberg1234, Thanks for your contribution, please add some tests |
Looks good to me! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a good start, but a lot of fields are hard-coded but shouldn't be and there are more fields that could be used.
{ | ||
"name": "", | ||
"digest": { | ||
"sha256": "fe4fe40ac7250263c5dbe1cf3138912f3f416140aa248637a60d65fe22c47da4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this should be calculated not static
for check in report.failed_checks: | ||
in_toto_data["predicate"]["invocation"]["uri"] = "https://github.com/developer-guy/alpine/actions/runs/1071875574" | ||
in_toto_data["predicate"]["invocation"]["event_id"] = "1071875574" | ||
in_toto_data["predicate"]["invocation"]["builder.id"] = "GitHub Actions" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be based on the use of Checkov not static
|
||
for report in self.reports: | ||
for check in report.failed_checks: | ||
in_toto_data["predicate"]["invocation"]["uri"] = "https://github.com/developer-guy/alpine/actions/runs/1071875574" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this should not be static
in_toto_data["predicate"]["invocation"]["uri"] = "https://github.com/developer-guy/alpine/actions/runs/1071875574" | ||
in_toto_data["predicate"]["invocation"]["event_id"] = "1071875574" | ||
in_toto_data["predicate"]["invocation"]["builder.id"] = "GitHub Actions" | ||
in_toto_data["predicate"]["scanner"]["uri"] = "pkg:github/aquasecurity/trivy@244fd47e07d1004f0aed9" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be Checkov not Trivy and the version should not be static
"id": check.check_id, | ||
"severity": [ | ||
{ | ||
"method": "nvd", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"method": "nvd", | |
"method": "vendor", |
2b2948c
to
0d14fe1
Compare
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
in-toto Attestation
fixes: #6208
Description
Added output of in-toto Attestation format
Fix
How does someone fix the issue in code and/or in runtime?
Checklist: