constellation/.github/actions/container_sbom/action.yml

name: Container SBOM
description: Create, vuln-check, sign and upload SBOMs for container images.
inputs:
  containerReference:
    description: "Full reference to container image, e.g., ghcr.io/org/repo/img:tag"
    required: true
  cosignPublicKey:
    description: "Cosign public key"
    required: true
  cosignPrivateKey:
    description: "Cosign private key"
    required: true
  cosignPassword:
    description: "Password for Cosign private key"
    required: true

runs:
  using: "composite"
  steps:
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1

    - name: Download Syft & Grype
      uses: ./.github/actions/install_syft_grype

    - name: Generate SBOM
      shell: bash
      env:
        # COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404
        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
      run: |
        echo "::group::Generate SBOM"
        set -ex
        syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json
        cosign attest ${{ inputs.containerReference }} --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type "https://cyclonedx.org/bom" > container-image.att.json
        cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
        # TODO: type should be auto-discovered after issue is resolved:
        # https://github.com/sigstore/cosign/issues/2264
        cosign verify-attestation ${{ inputs.containerReference }} --type "https://cyclonedx.org/bom" --key env://COSIGN_PUBLIC_KEY
        grype ${{ inputs.containerReference }} --fail-on high --only-fixed --add-cpes-if-none
        echo "::endgroup::"