This commit is contained in:
parent
fe1a1f7dda
commit
b0f664f0cd
1 changed files with 3 additions and 6 deletions
|
|
@ -31,12 +31,9 @@ jobs:
|
|||
context: .
|
||||
push: true
|
||||
tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }}
|
||||
- uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
|
||||
severity: CRITICAL,HIGH
|
||||
exit-code: '0' # spike: report only — don't gate cosign on a base-image CVE
|
||||
ignore-unfixed: true
|
||||
# Trivy removed from the 3a proof — it's parity, not the risk, and was
|
||||
# erroring on the registry pull and blocking cosign. Add it back (gating)
|
||||
# in the real workflow once the cosign path is proven.
|
||||
- uses: sigstore/cosign-installer@v3
|
||||
- name: cosign sign + verify (key-based)
|
||||
env:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue