feat(catalog): vulnerability-attestation scan-report referrer#152
Merged
Conversation
scan-image and scan-sbom now emit an in-toto vulnerability attestation (Trivy cosign-vuln record wrapped in an in-toto Statement); attach-scan-report attaches it as the referrer payload while keeping the com.cssc.scan.* summary annotations. Both reusable promote workflows pass the attestation through. Refs #146, #147, #148, #149, #150
Contributor
There was a problem hiding this comment.
Pull request overview
Implements the “vulnerability-attestation scan-report referrer” for promote-from-quarantine by replacing the previously empty scan-report referrer payload with a content-bearing in-toto vulnerability attestation (cosign-vuln predicate), while preserving existing com.cssc.scan.* summary annotations.
Changes:
- Add
attestation-pathoutputs toscan-imageandscan-sbom, producing an in-toto Statement wrapping Trivy’scosign-vulnrecord. - Update
attach-scan-reportto attach the in-toto Statement as the referrer payload (application/vnd.in-toto+json+in-toto.io/predicate-type), preserving existing summary annotations. - Wire both promote workflows to pass the new attestation file through, and update documentation to describe the new payload-bearing referrer.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/reference/workflow-actions.md | Updates the action catalogue entry to describe the scan-report referrer as a vuln attestation payload + summary annotations. |
| docs/architecture/catalog/README.md | Adds a link to the vulnerability-attestation scan report design doc (status text currently inconsistent). |
| docs/architecture/catalog/promote-from-quarantine-workflows.md | Updates workflow docs to describe the scan-report referrer as an in-toto vuln attestation payload. |
| docs/architecture/catalog/promote-from-quarantine-vuln-attestation.md | New/updated design doc describing the vulnerability-attestation referrer shape and retrieval. |
| .github/workflows/_promote-from-quarantine.yml | Passes scan.outputs.attestation-path into attach-scan-report. |
| .github/workflows/_promote-from-quarantine-sbom.yml | Passes scan.outputs.attestation-path into attach-scan-report. |
| .github/actions/scan-sbom/action.yml | Builds an image-level vuln attestation from merged per-platform SBOM scan JSON and emits attestation-path. |
| .github/actions/scan-image/action.yml | Converts the existing Trivy JSON report to cosign-vuln and wraps it in an in-toto Statement, emitting attestation-path. |
| .github/actions/attach-scan-report/action.yml | Attaches the attestation payload via oras attach with updated artifact type + predicate-type annotation and payload layer. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- drop (proposed) marker on the catalog README entry (now implemented) - reword design-doc recommendation to single cosign-vuln payload; move the raw-report second layer to an explicit optional-future-enhancement note
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the vulnerability-attestation scan-report referrer (tracking #146).
Replaces the empty promote-from-quarantine scan-report referrer with a
content-bearing in-toto vulnerability attestation (Trivy
cosign-vulnrecord wrapped in an in-toto Statement) while keeping the existing
com.cssc.scan.*summary annotations on the referrer manifest.Changes
scan-image: emitsattestation-path— a Cosign vuln record (trivy convert --format cosign-vuln, no re-scan) wrapped in an in-toto Statement. (scan-image: emit a cosign-vuln in-toto vulnerability attestation #147)scan-sbom: emits an image-levelattestation-pathbuilt from the mergedper-platform reports. (scan-sbom: emit a vulnerability attestation for hardened images #148)
attach-scan-report: attaches the attestation as the referrer payload(
application/vnd.in-toto+json+in-toto.io/predicate-typeannotation,--disable-path-validation), keeping allcom.cssc.scan.*annotations. (attach-scan-report: attach the vuln attestation payload, keep annotations #149)Design
docs/architecture/catalog/promote-from-quarantine-vuln-attestation.md
Validation
get_errorsclean on all 5 changed files.actionlinton both workflows: only pre-existing SC2016/SC2129 info/style.shellcheck -S warningclean on all changed composite-action run blocks.Notes
application/vnd.cssc.scan-report.v1+json→application/vnd.in-toto+json; annotation readers are unaffected.Closes #146, #147, #148, #149, #150, #151