|
@@ -62,10 +62,17 @@ runs:
|
|
|
env:
|
|
env:
|
|
|
COSIGN_EXPERIMENTAL: "1"
|
|
COSIGN_EXPERIMENTAL: "1"
|
|
|
run: |
|
|
run: |
|
|
|
|
|
+ # Image SBOM (OS + application libs contained in the image)
|
|
|
syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json
|
|
syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json
|
|
|
cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
|
|
cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
|
|
|
cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'
|
|
cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'
|
|
|
|
|
|
|
|
|
|
+ # Go modules SBOM (dependencies from the source tree)
|
|
|
|
|
+ # Requires repository to be checked out before this composite action runs.
|
|
|
|
|
+ syft dir:. -o spdx-json=sbom.gomod.${{ inputs.image-tag }}.spdx.json
|
|
|
|
|
+ cosign attest --predicate sbom.gomod.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
|
|
|
|
|
+ cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'
|
|
|
|
|
+
|
|
|
- name: Generate provenance
|
|
- name: Generate provenance
|
|
|
uses: philips-labs/slsa-provenance-action@v0.7.2
|
|
uses: philips-labs/slsa-provenance-action@v0.7.2
|
|
|
with:
|
|
with:
|
Moritz Johner