Skip to content

Instantly share code, notes, and snippets.

@knqyf263

knqyf263/policy.yaml

Last active July 29, 2022 18:56
Show Gist options
  • Save knqyf263/2f1fe2c83bcab353e0271c4dddb87a61 to your computer and use it in GitHub Desktop.
Save knqyf263/2f1fe2c83bcab353e0271c4dddb87a61 to your computer and use it in GitHub Desktop.
Download ZIP
Kyverno Vulnerability Attestation
Raw
policy.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-vulnerabilities
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 10
failurePolicy: Fail
rules:
- name: no-critical-vuln
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "*"
attestors:
- entries:
- keyless:
subject: "[email protected]"
issuer: "https://github.com/login/oauth"
attestations:
- predicateType: cosign.sigstore.dev/attestation/vuln/v1
conditions:
- all:
- key: "{{scanner.uri}}"
operator: Equals
value: "pkg:github/aquasecurity/trivy@*"
- key: "{{scanner.result.Results[].Vulnerabilities[].Severity | (contains(@, 'HIGH') || contains(@, 'CRITICAL'))}}"
operator: Equals
value: false
@knqyf263
Copy link
Author

knqyf263 commented Jul 28, 2022
edited
Loading 

$ trivy image --format cosign-vuln --output vuln.json knqyf263/cosign-test
$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json knqyf263/cosign-test

https://aquasecurity.github.io/trivy/dev/docs/attestation/vuln/

NOTE: keyless.subject and keyless.issuer should be updated accordingly.

@chipzoller
Copy link

Looks like this capability only in main currently.

@knqyf263
Copy link
Author

Yes, it will be included in the next release.
https://github.com/aquasecurity/trivy/milestone/8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment