lerentis
/
bitwarden-crd-operator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 18 Wiki Activity

publish sboms #4

New Issue
Closed
opened 2022-11-07 20:31:37 +00:00 by lerentis · 2 comments
lerentis commented 2022-11-07 20:31:37 +00:00
Owner
Copy Link

and probably sign them via cosign

and probably sign them via cosign
lerentis commented 2022-11-29 21:07:46 +00:00
Author
Owner
Copy Link
name: 'Provenance / SBOM / Sign'

description: 'Creates SBOM & provenance files and signs the image'

inputs:
  image-name:
    description: "name of the image"
    required: true
    default: ''
  image-tag:
    description: "image tag"
    required: true
    default: ""
  GHCR_USERNAME:
    description: "ghcr username"
    required: true
  GHCR_TOKEN:
    description: "ghcr token"
    required: true
  GITHUB_TOKEN:
    description: "gh token"
    required: true

runs:
  using: "composite"

  steps:

    - name: Install cosign
      uses: sigstore/cosign-installer@v2
      with:
        cosign-release: v1.12.1

    - name: Install Syft
      uses: anchore/sbom-action/download-syft@v0.7.0

    - name: Check Cosign install
      shell: bash
      run: cosign version

    - name: Login to ghcr.io
      uses: docker/login-action@v1.14.1
      with:
        registry: ghcr.io
        username: ${{ inputs.GHCR_USERNAME }}
        password: ${{ inputs.GHCR_TOKEN }}

    - name: Setup Go
      uses: actions/setup-go@v3
      with:
        go-version-file: "go.mod"

    - name: Set up crane
      shell: bash
      run: go install github.com/google/go-containerregistry/cmd/crane@v0.11.0

    - name: Get docker image tag
      id: container_info
      shell: bash
      run: echo "::set-output name=digest::$(crane digest ${{ inputs.image-name }}:${{ inputs.image-tag }})"

    - name: Sign image
      shell: bash
      env:
        COSIGN_EXPERIMENTAL: "1"
      run: cosign sign -a GITHUB_ACTOR=${{ github.triggering_actor }} "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"

    - name: Attach SBOM to image
      shell: bash
      id: sbom
      env:
        COSIGN_EXPERIMENTAL: "1"
      run: |
        syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json
        cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
        cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'        
    - name: Generate provenance
      uses: philips-labs/slsa-provenance-action@v0.7.2
      with:
        command: generate
        subcommand: container
        arguments: --repository "${{ inputs.image-name }}" --output-path provenance.${{ inputs.image-tag }}.intoto.jsonl --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}"
      env:
        COSIGN_EXPERIMENTAL: "0"
        GITHUB_TOKEN: "${{ inputs.GITHUB_TOKEN }}"

    - name: Attach provenance
      shell: bash
      id: provenance
      env:
        COSIGN_EXPERIMENTAL: "1"
      run: |
        jq '.predicate' provenance.${{ inputs.image-tag }}.intoto.jsonl > provenance-predicate.att
        cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
        cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}
```yaml name: 'Provenance / SBOM / Sign' description: 'Creates SBOM & provenance files and signs the image' inputs: image-name: description: "name of the image" required: true default: '' image-tag: description: "image tag" required: true default: "" GHCR_USERNAME: description: "ghcr username" required: true GHCR_TOKEN: description: "ghcr token" required: true GITHUB_TOKEN: description: "gh token" required: true runs: using: "composite" steps: - name: Install cosign uses: sigstore/cosign-installer@v2 with: cosign-release: v1.12.1 - name: Install Syft uses: anchore/sbom-action/download-syft@v0.7.0 - name: Check Cosign install shell: bash run: cosign version - name: Login to ghcr.io uses: docker/login-action@v1.14.1 with: registry: ghcr.io username: ${{ inputs.GHCR_USERNAME }} password: ${{ inputs.GHCR_TOKEN }} - name: Setup Go uses: actions/setup-go@v3 with: go-version-file: "go.mod" - name: Set up crane shell: bash run: go install github.com/google/go-containerregistry/cmd/crane@v0.11.0 - name: Get docker image tag id: container_info shell: bash run: echo "::set-output name=digest::$(crane digest ${{ inputs.image-name }}:${{ inputs.image-tag }})" - name: Sign image shell: bash env: COSIGN_EXPERIMENTAL: "1" run: cosign sign -a GITHUB_ACTOR=${{ github.triggering_actor }} "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" - name: Attach SBOM to image shell: bash id: sbom env: COSIGN_EXPERIMENTAL: "1" run: | syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson' - name: Generate provenance uses: philips-labs/slsa-provenance-action@v0.7.2 with: command: generate subcommand: container arguments: --repository "${{ inputs.image-name }}" --output-path provenance.${{ inputs.image-tag }}.intoto.jsonl --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}" env: COSIGN_EXPERIMENTAL: "0" GITHUB_TOKEN: "${{ inputs.GITHUB_TOKEN }}" - name: Attach provenance shell: bash id: provenance env: COSIGN_EXPERIMENTAL: "1" run: | jq '.predicate' provenance.${{ inputs.image-tag }}.intoto.jsonl > provenance-predicate.att cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} ```
lerentis commented 2022-11-29 21:09:39 +00:00
Author
Owner
Copy Link
      - name: Sign promoted image
        id: sign
        uses: ./.github/actions/sign
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ env.RELEASE_TAG }}
          GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```yaml - name: Sign promoted image id: sign uses: ./.github/actions/sign with: image-name: ${{ env.IMAGE_NAME }} image-tag: ${{ env.RELEASE_TAG }} GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
Lerentis/issue60
Lerentis/issue29
Lerentis/issue25
gh-pages
0.6.4
v0.6.2
v0.6.1
v0.6.0
v0.5.4
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.1
v0.2.0
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: lerentis/bitwarden-crd-operator#4
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?