Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-04-28 11:06:13 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: update Syft to 0.72.0 and Grype to 0.57.1 (#1120)

Browse Source 
* ci: update Syft to 0.72.0 and Grype to 0.57.1
* ci: install Cosign before Syft
* ci: directly read private key from environment for Cosign
* ci: add --add-cpes-if-none to Grype
* ci: use cosign attest directly instead of syft attest
This commit is contained in:
Nils Hanke 2023-02-22 14:17:02 +01:00 committed by GitHub
parent c91db4e1c4
commit f13f80b8af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/actions/container_sbom/action.yml vendored
View File

@ -33,10 +33,10 @@ runs:
COSIGN_PASSWORD: ${{ inputs.cosignPassword }} COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: | run: |
set -ex set -ex
echo "$COSIGN_PRIVATE_KEY" > cosign.key syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json
syft attest --key cosign.key ${{ inputs.containerReference }} -o cyclonedx-json > container-image.att.json cosign attest ${{ inputs.containerReference }} --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type cyclonedx > container-image.att.json
cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
# TODO: type should be auto-discovered after issue is resolved: # TODO: type should be auto-discovered after issue is resolved:
# https://github.com/sigstore/cosign/issues/2264 # https://github.com/sigstore/cosign/issues/2264
cosign verify-attestation ${{ inputs.containerReference }} --type 'https://cyclonedx.org/bom' --key env://COSIGN_PUBLIC_KEY cosign verify-attestation ${{ inputs.containerReference }} --type 'https://cyclonedx.org/bom' --key env://COSIGN_PUBLIC_KEY
grype ${{ inputs.containerReference }} --fail-on high --only-fixed grype ${{ inputs.containerReference }} --fail-on high --only-fixed --add-cpes-if-none

10
.github/actions/install_syft_grype/action.yml vendored
View File

@ -7,8 +7,8 @@ runs:
shell: bash shell: bash
working-directory: /tmp working-directory: /tmp
env: env:
SYFT_VERSION: "0.65.0" # Before upgrading, check if this has been fixed: https://github.com/anchore/syft/issues/1465 SYFT_VERSION: "0.72.0"
GRYPE_VERSION: "0.55.0" GRYPE_VERSION: "0.57.1"
OS: ${{ runner.os }} OS: ${{ runner.os }}
ARCH: ${{ runner.arch }} ARCH: ${{ runner.arch }}
run: | run: |
@ -19,15 +19,15 @@ runs:
else else
OS=${OS,,} OS=${OS,,}
fi fi
if [[ "${ARCH}" = "X64" ]]; then if [[ "${ARCH}" = "X64" ]]; then
ARCH="amd64" ARCH="amd64"
else else
ARCH=${ARCH,,} ARCH=${ARCH,,}
fi fi
echo "Downloading for ${OS}/${ARCH}" echo "Downloading for ${OS}/${ARCH}"
curl -fsSLo syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz curl -fsSLo syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz
tar -xzf syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz tar -xzf syft_${SYFT_VERSION}_${OS}_${ARCH}.tar.gz
sudo install syft /usr/bin/syft sudo install syft /usr/bin/syft

6
.github/workflows/release-cli.yml vendored
View File

@ -111,12 +111,12 @@ jobs:
with: with:
go-version: "1.20.1" go-version: "1.20.1"
- name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1 uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype
# Build one CLI since Syft's go-module catalog will default to binary parsing. # Build one CLI since Syft's go-module catalog will default to binary parsing.
# Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI. # Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
# This seems to work fine for one OS & one arch as long as we don't have OS specific imports. # This seems to work fine for one OS & one arch as long as we don't have OS specific imports.