You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
contrib/install.sh verifies assets using checksum downloaded from trivy's github release.
When github repository is compromised, verifying with downloaded checksum is not safe because attacker can also manipulate checksum files in the github release asset, so I'd like to supply hardcoded checksum with trivy version so that we can verify if the asset is not changed.
kind/featureCategorizes issue or PR as related to a new feature.
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Description
contrib/install.sh verifies assets using checksum downloaded from trivy's github release.
When github repository is compromised, verifying with downloaded checksum is not safe because attacker can also manipulate checksum files in the github release asset, so I'd like to supply hardcoded checksum with trivy version so that we can verify if the asset is not changed.
I also hope this feature is applied to https://github.com/aquasecurity/setup-trivy either once it's implemented.
Verifying binaries with cosign also has a point(#10439), but I prefer this.
Target
None
Scanner
None
Beta Was this translation helpful? Give feedback.
All reactions