From 153c984e0ca6622eeb264125df5fd89d5f2ba66f Mon Sep 17 00:00:00 2001
From: Matt Moore <mattmoor@chainguard.dev>
Date: Wed, 24 Jan 2024 16:58:39 -0500
Subject: [PATCH 1/2] Have digestabot utilize Octo STS (#2119)

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
---
 .github/chainguard/digestabot.sts.yaml |  9 +++++++++
 .github/workflows/digestabot.yaml      | 22 ++++++++++++++--------
 2 files changed, 23 insertions(+), 8 deletions(-)
 create mode 100644 .github/chainguard/digestabot.sts.yaml

diff --git a/.github/chainguard/digestabot.sts.yaml b/.github/chainguard/digestabot.sts.yaml
new file mode 100644
index 0000000000..737e49484a
--- /dev/null
+++ b/.github/chainguard/digestabot.sts.yaml
@@ -0,0 +1,9 @@
+issuer: https://token.actions.githubusercontent.com
+subject: repo:chainguard-images/images:ref:refs/heads/main
+claim_pattern:
+  job_workflow_ref: chainguard-images/images/.github/workflows/digestabot.yaml@refs/heads/main
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write
diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml
index c549e85a78..e17e4d6bbd 100644
--- a/.github/workflows/digestabot.yaml
+++ b/.github/workflows/digestabot.yaml
@@ -9,15 +9,21 @@ jobs:
   image-update:
     name: Image digest update
     runs-on: ubuntu-latest
+    if: github.repository == 'chainguard-images/images'
 
     permissions:
-      contents: write
-      pull-requests: write
-      id-token: write
+      contents: read # To clone the repo
+      id-token: write # To gitsign and federate
 
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - uses: chainguard-dev/actions/digesta-bot@main
-        with:
-          token: ${{ secrets.DIGEST_BOT_CHAINGUARD_IMAGES_PAT }}
-          signoff: true
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+    - uses: chainguard-dev/actions/octo-sts@main
+      id: octo-sts
+      with:
+        scope: ${{ github.repository }}
+        identity: digestabot
+
+    - uses: chainguard-dev/actions/digesta-bot@main
+      with:
+        token: ${{ steps.octo-sts.outputs.token }}

From 73cf0432a3ff6991a9bd9827ff4a0f1f7d6515d0 Mon Sep 17 00:00:00 2001
From: Phil <philde@chainguard.dev>
Date: Thu, 25 Jan 2024 09:15:35 -0800
Subject: [PATCH 2/2] Best practices: Add section showing how to configure
 grype (#2120)

Signed-off-by: Philippe Deslauriers <philde@chainguard.dev>
---
 BEST_PRACTICES.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/BEST_PRACTICES.md b/BEST_PRACTICES.md
index 13b090a0cf..81849cc598 100644
--- a/BEST_PRACTICES.md
+++ b/BEST_PRACTICES.md
@@ -262,3 +262,15 @@ Other tests that should be considered:
 * Tests for any configuration options provided e.g. setting a password
 * Mounting data or configuration e.g. running nginx with a HTML directory
 * Connecting via another container
+
+## Vulnerability scanning
+
+Use Grype to find vulnerabilities in Chainguard images. Note that we rely on a tweaked configuration when monitoring vulnerabilities. Add the following content to the file `~/.grype.yaml` to capture more accurate findings:
+
+```
+external-sources:
+  enable: true
+  maven:
+    search-upstream-by-sha1: true
+    base-url: https://search.maven.org/solrsearch/select
+```