Merge branch 'main' into cassandra-medusa

chainguard-images · Jan 25, 2024 · 0866a64 · 0866a64
2 parents 06877f0 + 73cf043
commit 0866a64
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 8 deletions.
diff --git a/.github/chainguard/digestabot.sts.yaml b/.github/chainguard/digestabot.sts.yaml
@@ -0,0 +1,9 @@
+issuer: https://token.actions.githubusercontent.com
+subject: repo:chainguard-images/images:ref:refs/heads/main
+claim_pattern:
+  job_workflow_ref: chainguard-images/images/.github/workflows/digestabot.yaml@refs/heads/main
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write
diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml
@@ -9,15 +9,21 @@ jobs:
   image-update:
     name: Image digest update
     runs-on: ubuntu-latest
+    if: github.repository == 'chainguard-images/images'
 
     permissions:
-      contents: write
-      pull-requests: write
-      id-token: write
+      contents: read # To clone the repo
+      id-token: write # To gitsign and federate
 
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - uses: chainguard-dev/actions/digesta-bot@main
-        with:
-          token: ${{ secrets.DIGEST_BOT_CHAINGUARD_IMAGES_PAT }}
-          signoff: true
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+    - uses: chainguard-dev/actions/octo-sts@main
+      id: octo-sts
+      with:
+        scope: ${{ github.repository }}
+        identity: digestabot
+
+    - uses: chainguard-dev/actions/digesta-bot@main
+      with:
+        token: ${{ steps.octo-sts.outputs.token }}
diff --git a/BEST_PRACTICES.md b/BEST_PRACTICES.md
@@ -262,3 +262,15 @@ Other tests that should be considered:
 * Tests for any configuration options provided e.g. setting a password
 * Mounting data or configuration e.g. running nginx with a HTML directory
 * Connecting via another container
+
+## Vulnerability scanning
+
+Use Grype to find vulnerabilities in Chainguard images. Note that we rely on a tweaked configuration when monitoring vulnerabilities. Add the following content to the file `~/.grype.yaml` to capture more accurate findings:
+
+```
+external-sources:
+  enable: true
+  maven:
+    search-upstream-by-sha1: true
+    base-url: https://search.maven.org/solrsearch/select
+```