ci: update Syft to 0.72.0 and Grype to 0.57.1 (#1120)

* ci: update Syft to 0.72.0 and Grype to 0.57.1
* ci: install Cosign before Syft
* ci: directly read private key from environment for Cosign
* ci: add --add-cpes-if-none to Grype
* ci: use cosign attest directly instead of syft attest

.github/actions/container_sbom/action.yml

@@ -33,10 +33,10 @@ runs:
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
       run: |
         set -ex
-        echo "$COSIGN_PRIVATE_KEY" > cosign.key
-        syft attest --key cosign.key ${{ inputs.containerReference }} -o cyclonedx-json > container-image.att.json
+        syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json
+        cosign attest ${{ inputs.containerReference }} --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type cyclonedx > container-image.att.json
         cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
         # TODO: type should be auto-discovered after issue is resolved:
         # https://github.com/sigstore/cosign/issues/2264
         cosign verify-attestation ${{ inputs.containerReference }} --type 'https://cyclonedx.org/bom' --key env://COSIGN_PUBLIC_KEY
-        grype ${{ inputs.containerReference }} --fail-on high --only-fixed
+        grype ${{ inputs.containerReference }} --fail-on high --only-fixed --add-cpes-if-none

.github/actions/install_syft_grype/action.yml

@@ -7,8 +7,8 @@ runs:
       shell: bash
       working-directory: /tmp
       env:
-        SYFT_VERSION: "0.65.0" # Before upgrading, check if this has been fixed: https://github.com/anchore/syft/issues/1465
-        GRYPE_VERSION: "0.55.0"
+        SYFT_VERSION: "0.72.0"
+        GRYPE_VERSION: "0.57.1"
         OS: ${{ runner.os }}
         ARCH: ${{ runner.arch }}
       run: |
@@ -19,15 +19,15 @@ runs:
         else
           OS=${OS,,}
         fi
-  
+
         if [[ "${ARCH}" = "X64" ]]; then
           ARCH="amd64"
         else
           ARCH=${ARCH,,}
         fi
-        
+
         echo "Downloading for ${OS}/${ARCH}"
-        
+
         curl -fsSLo syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz
         tar -xzf syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz
         sudo install syft /usr/bin/syft

.github/workflows/release-cli.yml

@@ -111,12 +111,12 @@ jobs:
         with:
           go-version: "1.20.1"
 
-      - name: Download Syft & Grype
-        uses: ./.github/actions/install_syft_grype
-
       - name: Install Cosign
         uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
 
+      - name: Download Syft & Grype
+        uses: ./.github/actions/install_syft_grype
+
       # Build one CLI since Syft's go-module catalog will default to binary parsing.
       # Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
       # This seems to work fine for one OS & one arch as long as we don't have OS specific imports.