@@ -92,41 +92,23 @@ jobs:
92
92
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
93
93
shell : bash
94
94
95
-
96
- cve_matrix :
97
- strategy :
98
- matrix :
99
- cve : ${{ fromJSON(format('[{0}]', steps.cve-list.outputs.CVE_EXCEPTIONS)) }}
100
- steps :
101
- - name : Add VEX attestations
102
- uses : docker/scout-cli-action@v1
103
- with :
104
- command : attestation-add
105
- only-severity : critical,high
106
- tags : ${{ steps.meta.outputs.tags }}
107
- file : ./docker/vex/${{ matrix.cve }}.vex.json
108
- predicate-type : https://openvex.dev/ns/v0.2.0
109
-
110
95
# About VEX attestations https://docs.docker.com/scout/explore/exceptions/
111
96
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
112
- # - name: Add VEX attestations
113
- # uses: docker/scout-cli-action@v1
114
- # with:
115
- # command: attestation-add
116
- # only-severity: critical,high
117
- # tags: ${{ steps.meta.outputs.tags }}
118
- # file: ./docker/vex/${{ matrix.cve }}.vex.json
119
- # predicate-type: https://openvex.dev/ns/v0.2.0 strategy:
120
-
121
- # run: |
122
- # echo $CVE_EXCEPTIONS
123
- # curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
124
- # for cve in $CVE_EXCEPTIONS; do
125
- # for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
126
- # echo "Attaching VEX exception $cve to $tag"
127
- # docker scout attestation add \
128
- # --file "./docker/vex/$cve.vex.json" \
129
- # --predicate-type https://openvex.dev/ns/v0.2.0 \
130
- # $tag
131
- # done
132
- # done
97
+ # Fixed to use v1.15.1 of scout-cli as v1.16.0 install script is broken
98
+ # https://github.com/docker/scout-cli
99
+ - name : Add VEX attestations
100
+ env :
101
+ CVE_EXCEPTIONS : ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
102
+ run : |
103
+ echo $CVE_EXCEPTIONS
104
+ curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- v1.15.1
105
+ for cve in $CVE_EXCEPTIONS; do
106
+ for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
107
+ echo "Attaching VEX exception $cve to $tag"
108
+ docker scout attestation add \
109
+ --file "./docker/vex/$cve.vex.json" \
110
+ --predicate-type https://openvex.dev/ns/v0.2.0 \
111
+ $tag
112
+ done
113
+ done
114
+ shell : bash
0 commit comments