Skip to content

Instantly share code, notes, and snippets.

@knqyf263
Last active July 29, 2022 18:56
Show Gist options
  • Save knqyf263/2f1fe2c83bcab353e0271c4dddb87a61 to your computer and use it in GitHub Desktop.
Save knqyf263/2f1fe2c83bcab353e0271c4dddb87a61 to your computer and use it in GitHub Desktop.
Kyverno Vulnerability Attestation
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-vulnerabilities
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 10
failurePolicy: Fail
rules:
- name: no-critical-vuln
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "*"
attestors:
- entries:
- keyless:
subject: "[email protected]"
issuer: "https://github.com/login/oauth"
attestations:
- predicateType: cosign.sigstore.dev/attestation/vuln/v1
conditions:
- all:
- key: "{{scanner.uri}}"
operator: Equals
value: "pkg:github/aquasecurity/trivy@*"
- key: "{{scanner.result.Results[].Vulnerabilities[].Severity | (contains(@, 'HIGH') || contains(@, 'CRITICAL'))}}"
operator: Equals
value: false
@knqyf263
Copy link
Author

Yes, it will be included in the next release.
https://github.com/aquasecurity/trivy/milestone/8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment