Skip to content

Vulnerability Scan Record Attestation

This tutorial details

  • Scan your container image for vulnerabilities
  • Generate an attestation with Cosign

Prerequisites

  1. Trivy CLI installed
  2. Cosign installed

Scan Container Image for vulnerabilities

Scan your container image for vulnerabilities and save the scan result to a scan.json file:

trivy image --ignore-unfixed --format json --output scan.json anaisurlichs/cns-website:0.0.6

  • --ignore-unfixed: Ensures that only the vulnerabilities are displayed that have a already a fix available
  • --output scan.json: The scan output is saved to a scan.json file instead of being displayed in the terminal.

Note: Replace the container image with the container image that you would like to scan.

Attestation of the vulnerability scan with Cosign

The following command generates an attestation for the vulnerability scan and uploads it to our container image:

cosign attest --replace --predicate scan.json --type vuln anaisurlichs/cns-website:0.0.6

Note: Replace the container image with the container image that you would like to scan.

See here for more details.