Skip to content

feat(catalog): vulnerability-attestation scan-report referrer#152

Merged
toddysm merged 4 commits into
mainfrom
feature/vuln-attestation-referrer
Jul 10, 2026
Merged

feat(catalog): vulnerability-attestation scan-report referrer#152
toddysm merged 4 commits into
mainfrom
feature/vuln-attestation-referrer

Conversation

@toddysm

@toddysm toddysm commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Implements the vulnerability-attestation scan-report referrer (tracking #146).

Replaces the empty promote-from-quarantine scan-report referrer with a
content-bearing in-toto vulnerability attestation (Trivy cosign-vuln
record wrapped in an in-toto Statement) while keeping the existing
com.cssc.scan.* summary annotations on the referrer manifest.

Changes

Design

docs/architecture/catalog/promote-from-quarantine-vuln-attestation.md

Validation

  • get_errors clean on all 5 changed files.
  • actionlint on both workflows: only pre-existing SC2016/SC2129 info/style.
  • shellcheck -S warning clean on all changed composite-action run blocks.
  • jq statement-wrapping and per-platform report merge unit-tested locally.

Notes

  • No signing (out of scope; can be layered on later).
  • Artifact type changes application/vnd.cssc.scan-report.v1+json
    application/vnd.in-toto+json; annotation readers are unaffected.

Closes #146, #147, #148, #149, #150, #151

toddysm added 3 commits July 9, 2026 20:27
scan-image and scan-sbom now emit an in-toto vulnerability attestation
(Trivy cosign-vuln record wrapped in an in-toto Statement); attach-scan-report
attaches it as the referrer payload while keeping the com.cssc.scan.* summary
annotations. Both reusable promote workflows pass the attestation through.

Refs #146, #147, #148, #149, #150
Copilot AI review requested due to automatic review settings July 10, 2026 03:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Implements the “vulnerability-attestation scan-report referrer” for promote-from-quarantine by replacing the previously empty scan-report referrer payload with a content-bearing in-toto vulnerability attestation (cosign-vuln predicate), while preserving existing com.cssc.scan.* summary annotations.

Changes:

  • Add attestation-path outputs to scan-image and scan-sbom, producing an in-toto Statement wrapping Trivy’s cosign-vuln record.
  • Update attach-scan-report to attach the in-toto Statement as the referrer payload (application/vnd.in-toto+json + in-toto.io/predicate-type), preserving existing summary annotations.
  • Wire both promote workflows to pass the new attestation file through, and update documentation to describe the new payload-bearing referrer.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
docs/reference/workflow-actions.md Updates the action catalogue entry to describe the scan-report referrer as a vuln attestation payload + summary annotations.
docs/architecture/catalog/README.md Adds a link to the vulnerability-attestation scan report design doc (status text currently inconsistent).
docs/architecture/catalog/promote-from-quarantine-workflows.md Updates workflow docs to describe the scan-report referrer as an in-toto vuln attestation payload.
docs/architecture/catalog/promote-from-quarantine-vuln-attestation.md New/updated design doc describing the vulnerability-attestation referrer shape and retrieval.
.github/workflows/_promote-from-quarantine.yml Passes scan.outputs.attestation-path into attach-scan-report.
.github/workflows/_promote-from-quarantine-sbom.yml Passes scan.outputs.attestation-path into attach-scan-report.
.github/actions/scan-sbom/action.yml Builds an image-level vuln attestation from merged per-platform SBOM scan JSON and emits attestation-path.
.github/actions/scan-image/action.yml Converts the existing Trivy JSON report to cosign-vuln and wraps it in an in-toto Statement, emitting attestation-path.
.github/actions/attach-scan-report/action.yml Attaches the attestation payload via oras attach with updated artifact type + predicate-type annotation and payload layer.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/architecture/catalog/README.md
Comment thread docs/architecture/catalog/promote-from-quarantine-vuln-attestation.md Outdated
- drop (proposed) marker on the catalog README entry (now implemented)
- reword design-doc recommendation to single cosign-vuln payload; move the
  raw-report second layer to an explicit optional-future-enhancement note
@toddysm
toddysm merged commit ceedf3f into main Jul 10, 2026
3 checks passed
@toddysm
toddysm deleted the feature/vuln-attestation-referrer branch July 10, 2026 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Vulnerability-attestation scan-report referrer

2 participants