Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
18ae86c38e
constellation/.github/actions/container_sbom/action.yml
Fabian Kammel 18ae86c38e
sbom signing (#303) 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-10-21 15:19:51 +02:00

52 lines
2.2 KiB
YAML
Raw Blame History

name: Container SBOM
description: Create, vuln-check, sign and upload SBOMs for container images.
inputs:
containerReference:
description: "Full reference to container image, e.g., ghcr.io/org/repo/img:tag"
required: true
cosignPublicKey:
description: "Cosign public key"
required: true
cosignPrivateKey:
description: "Cosign private key"
required: true
cosignPassword:
description: "Password for Cosign private key"
required: true
runs:
using: "composite"
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # tag=v2.8.0
if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
- name: Download syft & grype
run: |
SYFT_VERSION=0.59.0
GRYPE_VERSION=0.51.0
curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
./syft version
curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
./grype version
echo $(pwd) >> $GITHUB_PATH
shell: bash
- name: Generate SBOM
run: |
set -ex
echo "$COSIGN_PRIVATE_KEY" > cosign.key
syft attest --key cosign.key ${{ inputs.containerReference }} -o cyclonedx-json > container-image.att.json
cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
# TODO: type should be auto-discovered after issue is resolved:
# https://github.com/sigstore/cosign/issues/2264
cosign verify-attestation ${{ inputs.containerReference }} --type 'https://cyclonedx.org/bom' --key env://COSIGN_PUBLIC_KEY
grype ${{ inputs.containerReference }} --fail-on high --only-fixed
shell: bash
env:
# COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
Reference in New Issue View Git Blame Copy Permalink