Buf fix

[santoshkal]

Fix failing push/pull commands in CI introduced in PR 113

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	10 findings
Sensitive Files Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on improving the security and reliability of the Genval project, particularly in the areas of artifact management, signing, and credential handling.

The changes to the README.md file remove the section on authentication using the ~/.docker/config.json file and environment variables, and introduce new functionality for building, pushing, and signing generated and/or verified configuration files as OCI artifacts. This addition of artifact signing and verification using Cosign's keyless signing mode is a positive security enhancement, as it helps ensure the integrity and authenticity of the configuration files.

The changes to the cmd/artifact_pull.go, pkg/oci/ociClient.go, and cmd/artifact_push.go files also address several security-related aspects. These include improvements in credential handling, error handling, and retry mechanisms for OCI registry interactions, as well as the integration of Cosign signing for pushed artifacts. The addition of custom annotations for artifacts also provides a useful feature for storing security-related metadata.

Overall, these code changes appear to be focused on improving the security and reliability of the Genval project, which is a positive step for an application security engineer to review and approve.

Files Changed:

1. README.md: The changes remove the section on authentication using the ~/.docker/config.json file and environment variables, and introduce new functionality for building, pushing, and signing generated and/or verified configuration files as OCI artifacts using Cosign's keyless signing mode.
2. cmd/artifact_pull.go: The changes improve error handling, readability, and the credential management and signature verification processes for pulling artifacts from OCI-compliant container registries.
3. pkg/oci/ociClient.go: The changes improve the handling of credentials, the GenerateCraneOptions function, the retry mechanism for network-related errors, and the customization of the user agent string.
4. cmd/artifact_push.go: The changes improve credential handling, integrate Cosign signing for pushed artifacts, and add support for custom annotations, all of which contribute to enhancing the overall security of the artifact push functionality.

Powered by DryRun Security