demo: policy denials

.github/workflows/pipeline.yml

@@ -143,21 +143,6 @@ jobs:
       artifact-upload-name: syft.spdx.json
       artifact-upload-path: syft.spdx.json
 
-  cve-scan:
-    needs: save-image
-    uses: ./.github/workflows/witness.yml
-    with:
-      pull_request: ${{ github.event_name == 'pull_request' }}
-      step: cve-scan 
-      attestations: "git github environment"
-      artifact-download: image.tar
-      pre-command: |
-        curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
-      command: |
-        grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif
-      artifact-upload-name: grype.sarif
-      artifact-upload-path: grype.sarif
-
   secret-scan:
     needs: save-image
     uses: ./.github/workflows/witness.yml
@@ -174,17 +159,16 @@ jobs:
       artifact-upload-path: trufflehog.json
 
   verify:
-    needs: [ generate-sbom, cve-scan, secret-scan]
+    needs: [ generate-sbom, secret-scan]
 
-    if: ${{ github.event_name == 'push' }}
     uses: ./.github/workflows/witness.yml
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: verify 
       attestations: "git github environment"
       artifact-download: image.tar
       pre-command: |
-        curl -sSfL https://github.com/testifysec/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \
+        curl -sSfL https://github.com/in-toto/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \
         tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
       command: |
         witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug