github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/docs/tutorials/signing/vuln-attestation.md

github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/docs/tutorials/signing/vuln-attestation.md (about)

     1  # Vulnerability Scan Record Attestation
     2  
     3  This tutorial details 
     4  
     5  - Scan your container image for vulnerabilities
     6  - Generate an attestation with Cosign
     7  
     8  #### Prerequisites
     9  
    10  1. Trivy CLI installed
    11  2. Cosign installed 
    12  
    13  #### Scan Container Image for vulnerabilities
    14  
    15  Scan your container image for vulnerabilities and save the scan result to a scan.json file:
    16  ```
    17  trivy image --ignore-unfixed --format json --output scan.json anaisurlichs/cns-website:0.0.6
    18  ```
    19  
    20  * --ignore-unfixed: Ensures that only the vulnerabilities are displayed that have a already a fix available
    21  * --output scan.json: The scan output is saved to a scan.json file instead of being displayed in the terminal.
    22  
    23  Note: Replace the container image with the container image that you would like to scan.
    24  
    25  #### Attestation of the vulnerability scan with Cosign
    26  
    27  The following command generates an attestation for the vulnerability scan and uploads it to our container image:
    28  ```
    29  cosign attest --replace --predicate scan.json --type vuln anaisurlichs/cns-website:0.0.6
    30  ```
    31  
    32  Note: Replace the container image with the container image that you would like to scan.
    33  
    34  See [here][vuln-attestation] for more details.
    35  
    36  [vuln-attestation]: ../../docs/supply-chain/attestation/vuln.md