Skip to content

Commit

Permalink
feat: use docker buildx to create attestation files.
Browse files Browse the repository at this point in the history 
Updates the Github workflow to use the Docker buildx to generate the
SLSA attestation and SBOM files. Furthermore, the previous workflow used
to generate the SBOM files has been updated to download the data from
the container registry and upload them to the release page as it does
before.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
  • Loading branch information
@jvanz
jvanz committed Oct 2, 2024
1 parent 3998c93 commit 5db79e1
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 30 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/container-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ jobs:
file: ./Dockerfile
platforms: linux/amd64, linux/arm64
push: true
sbom: true
provenance: mode=max
tags: |
ghcr.io/${{github.repository_owner}}/audit-scanner:${{ env.TAG_NAME }}
- # Only build amd64 because buildx does not allow multiple platforms when
Expand All @@ -77,6 +79,8 @@ jobs:
context: .
file: ./Dockerfile
platforms: linux/amd64
sbom: true
provenance: mode=max
outputs: type=docker,dest=/tmp/audit-scanner-image-${{ env.TAG_NAME }}.tar
tags: |
ghcr.io/${{github.repository_owner}}/audit-scanner:${{ env.TAG_NAME }}
Expand Down
16 changes: 9 additions & 7 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ jobs:
- name: Download SBOM artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: sbom-*
pattern: attestation-*
path: ./
merge-multiple: true

Expand All @@ -118,12 +118,14 @@ jobs:
let path = require('path');
let files = [
'audit-scanner-sbom-amd64.spdx',
'audit-scanner-sbom-amd64.spdx.cert',
'audit-scanner-sbom-amd64.spdx.sig',
'audit-scanner-sbom-arm64.spdx',
'audit-scanner-sbom-arm64.spdx.cert',
'audit-scanner-sbom-arm64.spdx.sig',
'audit-scanner-attestation-amd64-provenance.json',
'audit-scanner-attestation-amd64-sbom.json',
'audit-scanner-attestation-amd64.cert',
'audit-scanner-attestation-amd64.sig',
'audit-scanner-attestation-arm64-provenance.json',
'audit-scanner-attestation-arm64-sbom.json',
'audit-scanner-attestation-arm64.cert',
'audit-scanner-attestation-arm64.sig',
"CRDS.tar.gz"]
const {RELEASE_ID} = process.env
Expand Down
50 changes: 27 additions & 23 deletions .github/workflows/sbom.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,39 +45,43 @@ jobs:
ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ inputs.image-digest }})
echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Create SBOM file
shell: bash
- name: Find attestation digest
run: |
syft \
-o spdx-json \
--file audit-scanner-sbom-${{ matrix.arch }}.spdx \
ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ env.PLATFORM_DIGEST }}
set -e
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ inputs.image-digest }} \
| jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest'
)
echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Sign SBOM file
- name: Sign attestation manifest
run: |
cosign sign-blob --yes \
--output-certificate audit-scanner-sbom-${{ matrix.arch }}.spdx.cert \
--output-signature audit-scanner-sbom-${{ matrix.arch }}.spdx.sig \
audit-scanner-sbom-${{ matrix.arch }}.spdx
cosign sign --yes \
--output-certificate audit-scanner-attestation-${{ matrix.arch }}.cert \
--output-signature audit-scanner-attestation-${{ matrix.arch }}.sig \
ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}}
- name: Attach SBOM file in the container image
shell: bash
- name: Find provenance file digest
run: |
cosign attach \
sbom --sbom audit-scanner-sbom-${{ matrix.arch }}.spdx \
ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ env.PLATFORM_DIGEST }}
set -e
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Sign SBOM file pushed to OCI registry
shell: bash
- name: Find sbom file digest
run: |
set -e
SBOM_TAG="$(echo ${{ env.PLATFORM_DIGEST }} | sed -e 's/:/-/g').sbom"
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document") | .digest')
echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
cosign sign --yes \
ghcr.io/${{github.repository_owner}}/audit-scanner:${SBOM_TAG}
- name: Download attestation and SBOM files
run: |
set -e
crane blob ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.PROVENANCE_DIGEST}} > audit-scanner-attestation-${{ matrix.arch }}-provenance.json
crane blob ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.SBOM_DIGEST}} > audit-scanner-attestation-${{ matrix.arch }}-sbom.json
- name: Upload SBOMs as artifacts
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: sbom-${{ matrix.arch }}
path: audit-scanner-sbom-${{ matrix.arch }}*
name: attestation-${{ matrix.arch }}
path: audit-scanner-attestation-${{ matrix.arch }}*
1 change: 1 addition & 0 deletions .github/workflows/sign-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,4 @@ jobs:
run: |
cosign sign --yes \
ghcr.io/${{github.repository_owner}}/audit-scanner@${{ inputs.image-digest }}

0 comments on commit 5db79e1

Please sign in to comment.