name: Container SBOM description: Create, vuln-check, sign and upload SBOMs for container images. inputs: containerReference: description: "Full reference to container image, e.g., ghcr.io/org/repo/img:tag" required: true cosignPublicKey: description: "Cosign public key" required: true cosignPrivateKey: description: "Cosign private key" required: true cosignPassword: description: "Password for Cosign private key" required: true runs: using: "composite" steps: - name: Install Cosign if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Download Syft & Grype uses: ./.github/actions/install_syft_grype - name: Generate SBOM shell: bash env: COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} COSIGN_PASSWORD: ${{ inputs.cosignPassword }} run: | echo "::group::Generate SBOM" set -ex syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json cosign attest ${{ inputs.containerReference }} --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type "https://cyclonedx.org/bom" > container-image.att.json cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json # TODO(3u13r): type should be auto-discovered after issue is resolved: # https://github.com/sigstore/cosign/issues/2264 cosign verify-attestation ${{ inputs.containerReference }} --type "https://cyclonedx.org/bom" --key env://COSIGN_PUBLIC_KEY grype ${{ inputs.containerReference }} --fail-on high --only-fixed --add-cpes-if-none echo "::endgroup::"