Skip to content
This repository has been archived by the owner on May 13, 2024. It is now read-only.

Commit

Permalink
fix: code signing using cosign
Browse files Browse the repository at this point in the history
chore(release): sign image using cosign
chore(release): create SBOM attestation and attach it to signed image
chore(trivy-scan): now has attest input
chore(schedule): now creates an attestation using cosign

Signed-off-by: Arthur Deierlein <[email protected]>
  • Loading branch information
c0rydoras committed Apr 19, 2024
1 parent 5de26d7 commit 2da7c26
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 1 deletion.
35 changes: 35 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,18 @@ jobs:
semrel:
name: Semantic Release
runs-on: ubuntu-latest
permissions:
actions: none
checks: none
contents: none
deployments: none
issues: none
packages: write
pull-requests: none
repository-projects: none
security-events: none
statuses: none
id-token: write # needed for signing the images with GitHub OIDC using cosign
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down Expand Up @@ -50,6 +62,7 @@ jobs:

- name: Build and push
if: steps.semrel.outputs.version != ''
id: docker
uses: docker/build-push-action@v5
with:
context: .
Expand All @@ -58,3 +71,25 @@ jobs:
tags: ${{ steps.meta.outputs.tags }}
labels: |
${{ steps.meta.outputs.labels }}
- name: Run Trivy vulnerability scanner on api
if: steps.semrel.outputs.version != ''
uses: aquasecurity/[email protected]
with:
image-ref: ghcr.io/adfinis/timed-backend
format: "cyclonedx"
output: "trivy.cdx"

- name: Install Cosign
if: steps.semrel.outputs.version != ''
uses: sigstore/[email protected]

- name: Sign the image with GitHub OIDC Token using cosign
if: steps.semrel.outputs.version != ''
run: |
cosign sign --yes ghcr.io/adfinis/timed-backend@${{ steps.docker.outputs.digest }}
- name: Attach an SBOM attestation to the signed image
if: steps.semrel.outputs.version != ''
run: |
cosign attest --yes --type cyclonedx --predicate trivy.cdx ghcr.io/adfinis/timed-backend@${{ steps.docker.outputs.digest }}
1 change: 1 addition & 0 deletions .github/workflows/schedule.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ jobs:
uses: ./.github/workflows/trivy-scan.yaml
with:
image-ref: ghcr.io/adfinis/timed-backend
attest: true
32 changes: 31 additions & 1 deletion .github/workflows/trivy-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
required: true
type: string
description: The image to scan e.g. ghcr.io/owner/image
attest:
required: false
type: boolean
default: true

jobs:
trivy-scan:
Expand All @@ -22,7 +26,8 @@ jobs:
repository-projects: none
security-events: write
statuses: none
id-token: none
# needed for `cosign attest`
id-token: write

runs-on: ubuntu-latest
name: Scan ${{ inputs.image-ref }}
Expand All @@ -38,11 +43,36 @@ jobs:
uses: aquasecurity/[email protected]
with:
image-ref: ${{ inputs.image-ref }}
format: "json"
output: "trivy.json"

- name: Convert results to sarif
uses: aquasecurity/[email protected]
with:
image-ref: trivy.json
scan-type: "convert"
format: "sarif"
# skip --vuln-type arg
vuln-type: ""
output: "trivy.sarif"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy.sarif"

- name: Convert trivy results to cosign-vuln
if: ${{ inputs.attest }}
uses: aquasecurity/[email protected]
with:
image-ref: trivy.json
scan-type: "convert"
format: "cosign-vuln"
# skip --vuln-type arg
vuln-type: ""
output: "trivy.cosign.json"

- name: Attach a security attestation to the signed image
if: ${{ inputs.attest }}
run: cosign attest --yes --type vuln --predicate trivy.cosign.json ${{ inputs.image-ref }}

0 comments on commit 2da7c26

Please sign in to comment.