https://github.com/chainguard-dev/text4shell-policy
ClusterImagePolicy demo for cve-2022-42889 text4shell
https://github.com/chainguard-dev/text4shell-policy
Last synced: 18 days ago
JSON representation
ClusterImagePolicy demo for cve-2022-42889 text4shell
- Host: GitHub
- URL: https://github.com/chainguard-dev/text4shell-policy
- Owner: chainguard-dev
- License: apache-2.0
- Archived: true
- Created: 2022-10-17T21:49:13.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2023-06-21T11:06:51.000Z (almost 2 years ago)
- Last Synced: 2025-03-17T15:58:30.955Z (2 months ago)
- Language: Java
- Homepage:
- Size: 2.6 MB
- Stars: 4
- Watchers: 5
- Forks: 1
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Text4Shell Demo
This demo shows how you can use Sigstore to validate your signed SBOMs against text4shell policies in Kubernetes or on the command line
## Option 1: Check if your remote OCI image is affected using cue with cosign 2.0
```
cosign verify-attestation --policy policy/text4shell.cue --type https://cyclonedx.org/bom --certificate-identity-regexp=.* --certificate-oidc-issuer-regexp=.* ghcr.io/chainguard-dev/text4shell-policy:main
```
## Option 2: Check using Enforce for Kubernetes with image built from this repo
```
chainctl policies create --group $DEMO_GROUP -f policy/text4shell-policy.yaml
kubectl label ns default policy.sigstore.dev/include=true --overwrite
kubectl run text4shell --image=ghcr.io/chainguard-dev/text4shell-policy:main
```
### Clean Up
```
kubectl delete pod text4shell --grace-period=0
chainctl policy delete -y $(chainctl policy list -o json | jq -r '[.items[] | select(.name == "vuln-cve-2022-42889-text4shell")][0].id')
kubectl label ns default policy.sigstore.dev/include-
```