kubeclarity VS witness

In the following steps, we use a local Kubernetes cluster (such as kind) to test the image. With the cluster up and running, let's install some tooling to help us with image scanning. In this case, we're using KubeClarity. Follow the installation instructions in the README to install it into your development cluster.

Introducing KubeClarity. KubeClarity is an open-source project to help you ship more secure software. While KubeClarity covers many different use cases, let's focus on image scanning for now.

KubeClarity runs on any Kubernetes cluster and provides a UI and CLI for analyzing images and generating SBOMs. By default, KubeClarity doesn’t have its own SBOM generator or vulnerability scanner, but instead supports third-party tools that you can enable in any combination, making it great for adding additional interfaces for existing toolchains.

the only thing I can think of is something like https://github.com/openclarity/kubeclarity but that's a little OTT for me.

I stumbled across https://github.com/cisco-open/kubei recently, it looks the goods but I have not had time to implement yet

We have lots of work to do. https://github.com/in-toto/witness

Full disclosure, I am a member of the steering committee for in-toto and the CEO of TestifySec which in the main contributor to Witness.

You may also want to look into Witness https://github.com/testifysec/witness

like Witness which helps attest that software was built with the process you’re trying to attest to it.

Verifying provenance across CI steps is what the in-toto project was designed to help with. We implement in-toto with our open-source projects, Witness and Archivist.