Add registry certificate verification support #169
Conversation
|
This looks like a solid add! I don't want to merge this before taking a look at the proposed changes in syft and grype, can you open up those PRs for a code review as well? (it's ok if all the tests fail due to the go mod replace) |
Thank you for your affirmation. I will submit pull requests for Syft and Grupe later. |
I submitted pr for syft and grype syft: grype: |
|
@5p2O5pe25ouT we were chatting about this internally, before adding a custom config item in syft and grype are there other workarounds that would be kosher? For instance, adding the cert to your local keychain and leaning on the system certificate pool would be the most straight forward approach. Is there a reason this wouldn't work in your case? |
|
@wagoodman we are an enterprise serving the military industry. We have strict permission requirements for the system directory during development. We usually do not add the cert to the system certificate pool. So we need to specify the path of the certificate when using it. |
|
@5p2O5pe25ouT I can help get this PR (and the syft/grype ones) across the finish line -- one thing that I'll need you to do is to signoff your commits. |
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
wagoodman
changed the title
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
There was a problem hiding this comment.
I ended up adding a beefy integration test to ensure it's all wired up alright. Thanks for the contribution @5p2O5pe25ouT , I'll get this in and shepard in the syft and grype PRs you opened for this.
I want to help add support for carrying certificates when Grype scans the registry. I have implemented the feature of carrying certificates in the local code through Go Mod Replace and added a certificate configuration to .grypt.yaml file. Currently, I have modified the code on Stereoscope and hope to contribute.