From 2da7c26d01978f797651638db05e5485df21adf0 Mon Sep 17 00:00:00 2001 From: Arthur Deierlein Date: Fri, 19 Apr 2024 11:06:56 +0200 Subject: [PATCH] fix: code signing using cosign chore(release): sign image using cosign chore(release): create SBOM attestation and attach it to signed image chore(trivy-scan): now has attest input chore(schedule): now creates an attestation using cosign Signed-off-by: Arthur Deierlein --- .github/workflows/release.yaml | 35 +++++++++++++++++++++++++++++++ .github/workflows/schedule.yaml | 1 + .github/workflows/trivy-scan.yaml | 32 +++++++++++++++++++++++++++- 3 files changed, 67 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bea7700c..51203cc7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,6 +9,18 @@ jobs: semrel: name: Semantic Release runs-on: ubuntu-latest + permissions: + actions: none + checks: none + contents: none + deployments: none + issues: none + packages: write + pull-requests: none + repository-projects: none + security-events: none + statuses: none + id-token: write # needed for signing the images with GitHub OIDC using cosign steps: - name: Checkout uses: actions/checkout@v4 @@ -50,6 +62,7 @@ jobs: - name: Build and push if: steps.semrel.outputs.version != '' + id: docker uses: docker/build-push-action@v5 with: context: . @@ -58,3 +71,25 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: | ${{ steps.meta.outputs.labels }} + + - name: Run Trivy vulnerability scanner on api + if: steps.semrel.outputs.version != '' + uses: aquasecurity/trivy-action@0.19.0 + with: + image-ref: ghcr.io/adfinis/timed-backend + format: "cyclonedx" + output: "trivy.cdx" + + - name: Install Cosign + if: steps.semrel.outputs.version != '' + uses: sigstore/cosign-installer@v3.4.0 + + - name: Sign the image with GitHub OIDC Token using cosign + if: steps.semrel.outputs.version != '' + run: | + cosign sign --yes ghcr.io/adfinis/timed-backend@${{ steps.docker.outputs.digest }} + + - name: Attach an SBOM attestation to the signed image + if: steps.semrel.outputs.version != '' + run: | + cosign attest --yes --type cyclonedx --predicate trivy.cdx ghcr.io/adfinis/timed-backend@${{ steps.docker.outputs.digest }} diff --git a/.github/workflows/schedule.yaml b/.github/workflows/schedule.yaml index 4dda741b..a9399d16 100644 --- a/.github/workflows/schedule.yaml +++ b/.github/workflows/schedule.yaml @@ -12,3 +12,4 @@ jobs: uses: ./.github/workflows/trivy-scan.yaml with: image-ref: ghcr.io/adfinis/timed-backend + attest: true diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml index 6bc154f1..7294b7af 100644 --- a/.github/workflows/trivy-scan.yaml +++ b/.github/workflows/trivy-scan.yaml @@ -8,6 +8,10 @@ on: required: true type: string description: The image to scan e.g. ghcr.io/owner/image + attest: + required: false + type: boolean + default: true jobs: trivy-scan: @@ -22,7 +26,8 @@ jobs: repository-projects: none security-events: write statuses: none - id-token: none + # needed for `cosign attest` + id-token: write runs-on: ubuntu-latest name: Scan ${{ inputs.image-ref }} @@ -38,7 +43,17 @@ jobs: uses: aquasecurity/trivy-action@0.19.0 with: image-ref: ${{ inputs.image-ref }} + format: "json" + output: "trivy.json" + + - name: Convert results to sarif + uses: aquasecurity/trivy-action@0.19.0 + with: + image-ref: trivy.json + scan-type: "convert" format: "sarif" + # skip --vuln-type arg + vuln-type: "" output: "trivy.sarif" - name: Upload Trivy scan results to GitHub Security tab @@ -46,3 +61,18 @@ jobs: if: always() with: sarif_file: "trivy.sarif" + + - name: Convert trivy results to cosign-vuln + if: ${{ inputs.attest }} + uses: aquasecurity/trivy-action@0.19.0 + with: + image-ref: trivy.json + scan-type: "convert" + format: "cosign-vuln" + # skip --vuln-type arg + vuln-type: "" + output: "trivy.cosign.json" + + - name: Attach a security attestation to the signed image + if: ${{ inputs.attest }} + run: cosign attest --yes --type vuln --predicate trivy.cosign.json ${{ inputs.image-ref }}