diff --git a/README.md b/README.md index c9fbf61..69e09a4 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,7 @@ you must first add your GitHub repository to [github-repositories-terraform](htt | `push` | If `true`, the action will push the Docker image to the registry. | no | `true` | | `registry` | What container registry to use, we support Azure Container Registry (ACR) and GitHub Container Registry (GHCR). You should set this to the URL of the registry you want to use, e.g. `ghcr.io/3lvia` or `myregistry.azurecr.io`. The action will authenticate with the registry depending on the value of the URL, i.e. if the URL contains `azurecr.io`jor `ghcr.io`. If set to an ACR registry, Elvia's private Azure Container Registry will be used by default. You can also set these explictly to point to your own ACR. Using ACR requires the permissions `id-token: write` to access the registry using OIDC. If set to a GHCR registry, the action will push to the GitHub Container Registry of the repository. Using GHCR requires the `packages: write` permission to push to the registry. | no | | | `severity` | Severity levels to scan for. See [Trivy documentation](https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs) for more information. | no | `CRITICAL` | -| `sign-image` | If `true`, the action will sign the Docker image with Cosign. This will default to `true` in the near future. | no | `false` | +| `sign-image` | If `true`, the action will sign the Docker image with Cosign. | no | `true` | | `trivy-cve-ignores` | Comma-separated list of CVEs for Trivy to ignore. See [Trivy documentation](https://aquasecurity.github.io/trivy/v0.49/docs/configuration/filtering/#trivyignore) for syntax. | no | | | `trivy-post-comment` | If `true`, the action will post a comment to the PR with the Trivy scan results. The comment will only be posted if the action is ran on a pull request. This action requires the permission `pull-requests: write` to be set for the job. | no | `false` | | `trivy-upload-report` | If `true`, the action will upload Trivy scan results to GitHub Advanced Security. This actions requires GitHub Advanced Security to be enabled for the repository, and the permissions `actions: read` and `security-events: write` to be set for the job. | no | `false` | @@ -220,10 +220,10 @@ More permissions might be required depending on the inputs set, see the actions # Default: 'CRITICAL' sign-image: - # If `true`, the action will sign the Docker image with Cosign. This will default to `true` in the near future. + # If `true`, the action will sign the Docker image with Cosign. # # Required: no - # Default: 'false' + # Default: 'true' trivy-cve-ignores: # Comma-separated list of CVEs for Trivy to ignore. See [Trivy documentation](https://aquasecurity.github.io/trivy/v0.49/docs/configuration/filtering/#trivyignore) for syntax.