constellation/.github/actions/container_sbom/action.yml
2024-02-21 17:53:53 +01:00

44 lines
1.9 KiB
YAML

name: Container SBOM
description: Create, vuln-check, sign and upload SBOMs for container images.
inputs:
containerReference:
description: "Full reference to container image, e.g., ghcr.io/org/repo/img:tag"
required: true
cosignPublicKey:
description: "Cosign public key"
required: true
cosignPrivateKey:
description: "Cosign private key"
required: true
cosignPassword:
description: "Password for Cosign private key"
required: true
runs:
using: "composite"
steps:
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype
- name: Generate SBOM
shell: bash
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
echo "::group::Generate SBOM"
set -ex
syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json
cosign attest ${{ inputs.containerReference }} --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type "https://cyclonedx.org/bom" > container-image.att.json
cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
# TODO(3u13r): type should be auto-discovered after issue is resolved:
# https://github.com/sigstore/cosign/issues/2264
cosign verify-attestation ${{ inputs.containerReference }} --type "https://cyclonedx.org/bom" --key env://COSIGN_PUBLIC_KEY
grype ${{ inputs.containerReference }} --fail-on high --only-fixed --add-cpes-if-none
echo "::endgroup::"