ratify-project · junczhu · Jan 15, 2025 · Jan 15, 2025
@@ -0,0 +1,3 @@
+vulnerabilities:
+  - id: CVE-2024-45338
+    statement: kubectl is not vulnerable to this and is reason for being flagged
@@ -38,7 +38,7 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 15
     env:
-      TRIVY_VERSION: 0.49.1
+      TRIVY_VERSION: 0.58.2
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
@@ -73,6 +73,5 @@ jobs:
           done
       - name: Run trivy on images and exit on HIGH/CRITICAL severity
         run: |
-          for img in "localbuild:test" "localbuildcrd:test"; do
-              trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" "${img}"
-          done
+          trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" "localbuild:test"
+          trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" --show-suppressed --ignorefile ./.github/crd.trivyignore.yaml "localbuildcrd:test"
@@ -67,7 +67,7 @@ There are multiple tools for generating SBOMS such as Syft, Trivy, Microsoft SBO
 
 ### Docker Buildx Attestations
 
-Recently, Ratify added support for generating SBOM in-toto attestations via buildx. Buildx supports generating SBOM via Syft and attaching the attestation as an OCI Image part of the top level image index. Read more [here](https://ratify.dev/docs/next/troubleshoot/security#build-attestations).
+Recently, Ratify added support for generating SBOM in-toto attestations via buildx. Buildx supports generating SBOM via Syft and attaching the attestation as an OCI Image part of the top level image index. Read more [here](https://ratify.dev/docs/next/reference/security#build-attestations).
 
 Other OSS projects such as Gatekeeper publish attestations in a similar fashion. It's very simple to add such support making adoption more widespread.