|
|
@@ -18,14 +18,16 @@ runs:
|
|
|
steps:
|
|
|
|
|
|
- name: Install cosign
|
|
|
- # https://github.com/sigstore/cosign-installer/releases/tag/v2.8.1
|
|
|
- uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
|
|
|
+ # https://github.com/sigstore/cosign-installer/releases/tag/v4.0.0
|
|
|
+ uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
|
|
|
with:
|
|
|
- cosign-release: v1.13.6
|
|
|
+ cosign-release: 'v3.0.3'
|
|
|
|
|
|
- name: Install Syft
|
|
|
- # https://github.com/anchore/sbom-action/releases/tag/v0.7.0
|
|
|
- uses: anchore/sbom-action/download-syft@ce4a7cf05d7b684693d7b6bba97bfbee56806edb # v0.7.0
|
|
|
+ # https://github.com/anchore/sbom-action/releases/tag/v0.22.2
|
|
|
+ uses: anchore/sbom-action/download-syft@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
|
|
|
+ with:
|
|
|
+ syft-version: v1.41.2
|
|
|
|
|
|
- name: Check Cosign install
|
|
|
shell: bash
|
|
|
@@ -58,31 +60,35 @@ runs:
|
|
|
- name: Sign image
|
|
|
shell: bash
|
|
|
env:
|
|
|
- COSIGN_EXPERIMENTAL: "1"
|
|
|
IMAGE_NAME: ${{ inputs.image-name }}
|
|
|
CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
|
|
|
GITHUB_TRIGGERING_ACTOR: ${{ github.triggering_actor }}
|
|
|
- run: cosign sign -a GITHUB_ACTOR=${GITHUB_TRIGGERING_ACTOR} "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
+ run: cosign sign --yes -a GITHUB_ACTOR=${GITHUB_TRIGGERING_ACTOR} "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
|
|
|
- name: Attach SBOM to image
|
|
|
shell: bash
|
|
|
id: sbom
|
|
|
env:
|
|
|
- COSIGN_EXPERIMENTAL: "1"
|
|
|
IMAGE_NAME: ${{ inputs.image-name }}
|
|
|
IMAGE_TAG: ${{ inputs.image-tag }}
|
|
|
CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
|
|
|
run: |
|
|
|
# Image SBOM (OS + application libs contained in the image)
|
|
|
syft "${IMAGE_NAME}@${CONTAINER_DIGEST}" -o spdx-json=sbom.${IMAGE_TAG}.spdx.json
|
|
|
- cosign attest --predicate sbom.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
- cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= @base64d | .payload | fromjson'
|
|
|
-
|
|
|
+ # cosign attest --predicate sbom.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
+ cosign attest --yes --predicate sbom.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
+ # cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= @base64d | .payload | fromjson'
|
|
|
+ cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} \
|
|
|
+ --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/.*" \
|
|
|
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq '.payload |= @base64d | .payload | fromjson'
|
|
|
# Go modules SBOM (dependencies from the source tree)
|
|
|
# Requires repository to be checked out before this composite action runs.
|
|
|
syft dir:. -o spdx-json=sbom.gomod.${IMAGE_TAG}.spdx.json
|
|
|
- cosign attest --predicate sbom.gomod.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
- cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= @base64d | .payload | fromjson'
|
|
|
+ # cosign attest --predicate sbom.gomod.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
+ cosign attest --yes --predicate sbom.gomod.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
+ cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} \
|
|
|
+ --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/.*" \
|
|
|
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq '.payload |= @base64d | .payload | fromjson'
|
|
|
|
|
|
- name: Generate provenance
|
|
|
# https://github.com/philips-labs/slsa-provenance-action/releases/tag/v0.7.2
|
|
|
@@ -99,11 +105,14 @@ runs:
|
|
|
shell: bash
|
|
|
id: provenance
|
|
|
env:
|
|
|
- COSIGN_EXPERIMENTAL: "1"
|
|
|
IMAGE_NAME: ${{ inputs.image-name }}
|
|
|
IMAGE_TAG: ${{ inputs.image-tag }}
|
|
|
CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
|
|
|
run: |
|
|
|
jq '.predicate' provenance.${IMAGE_TAG}.intoto.jsonl > provenance-predicate.att
|
|
|
- cosign attest --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
- cosign verify-attestation --type slsaprovenance ${IMAGE_NAME}@${CONTAINER_DIGEST}
|
|
|
+ # cosign attest --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
+ cosign attest --yes --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_NAME}@${CONTAINER_DIGEST}"
|
|
|
+ # cosign verify-attestation --type slsaprovenance ${IMAGE_NAME}@${CONTAINER_DIGEST}
|
|
|
+ cosign verify-attestation --type slsaprovenance ${IMAGE_NAME}@${CONTAINER_DIGEST} \
|
|
|
+ --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/.*" \
|
|
|
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com
|
Gergely Bräutigam