This commit is contained in:
parent
fe1a1f7dda
commit
b0f664f0cd
1 changed files with 3 additions and 6 deletions
|
|
@ -31,12 +31,9 @@ jobs:
|
||||||
context: .
|
context: .
|
||||||
push: true
|
push: true
|
||||||
tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }}
|
tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }}
|
||||||
- uses: aquasecurity/trivy-action@master
|
# Trivy removed from the 3a proof — it's parity, not the risk, and was
|
||||||
with:
|
# erroring on the registry pull and blocking cosign. Add it back (gating)
|
||||||
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
|
# in the real workflow once the cosign path is proven.
|
||||||
severity: CRITICAL,HIGH
|
|
||||||
exit-code: '0' # spike: report only — don't gate cosign on a base-image CVE
|
|
||||||
ignore-unfixed: true
|
|
||||||
- uses: sigstore/cosign-installer@v3
|
- uses: sigstore/cosign-installer@v3
|
||||||
- name: cosign sign + verify (key-based)
|
- name: cosign sign + verify (key-based)
|
||||||
env:
|
env:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue