2022-10-21 09:19:51 -04:00
|
|
|
name: Container SBOM
|
|
|
|
description: Create, vuln-check, sign and upload SBOMs for container images.
|
|
|
|
inputs:
|
|
|
|
containerReference:
|
|
|
|
description: "Full reference to container image, e.g., ghcr.io/org/repo/img:tag"
|
|
|
|
required: true
|
|
|
|
cosignPublicKey:
|
|
|
|
description: "Cosign public key"
|
|
|
|
required: true
|
|
|
|
cosignPrivateKey:
|
|
|
|
description: "Cosign private key"
|
|
|
|
required: true
|
|
|
|
cosignPassword:
|
|
|
|
description: "Password for Cosign private key"
|
|
|
|
required: true
|
|
|
|
|
|
|
|
runs:
|
|
|
|
using: "composite"
|
|
|
|
steps:
|
|
|
|
- name: Install Cosign
|
2023-01-17 12:49:00 -05:00
|
|
|
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
2023-01-18 04:15:58 -05:00
|
|
|
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
|
|
|
|
|
2023-01-18 11:33:10 -05:00
|
|
|
- name: Download Syft & Grype
|
|
|
|
uses: ./.github/actions/install_syft_grype
|
2022-10-21 09:19:51 -04:00
|
|
|
|
|
|
|
- name: Generate SBOM
|
2023-01-18 04:15:58 -05:00
|
|
|
shell: bash
|
|
|
|
env:
|
|
|
|
# COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404
|
|
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
|
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
|
|
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
2022-10-21 09:19:51 -04:00
|
|
|
run: |
|
|
|
|
set -ex
|
2023-02-22 08:17:02 -05:00
|
|
|
syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json
|
2023-02-22 09:06:30 -05:00
|
|
|
cosign attest ${{ inputs.containerReference }} --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type "https://cyclonedx.org/bom" > container-image.att.json
|
2022-10-21 09:19:51 -04:00
|
|
|
cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
|
|
|
|
# TODO: type should be auto-discovered after issue is resolved:
|
|
|
|
# https://github.com/sigstore/cosign/issues/2264
|
2023-02-22 09:06:30 -05:00
|
|
|
cosign verify-attestation ${{ inputs.containerReference }} --type "https://cyclonedx.org/bom" --key env://COSIGN_PUBLIC_KEY
|
2023-02-22 08:17:02 -05:00
|
|
|
grype ${{ inputs.containerReference }} --fail-on high --only-fixed --add-cpes-if-none
|