fix(cosign): use digest instead of latest

adfinis · Mar 25, 2024 · 7315c89 · 7315c89
1 parent 5498617
commit 7315c89
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 5 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -47,6 +47,7 @@ jobs:
       - name: Build and Push API Docker Image
         if: steps.semrel.outputs.version != ''
         uses: docker/build-push-action@v5
+        id: docker-api
         with:
           context: ./api/
           target: prod
@@ -58,13 +59,58 @@ jobs:
       - name: Build and Push Ember Docker Image
         if: steps.semrel.outputs.version != ''
         uses: docker/build-push-action@v5
+        id: docker-ember
         with:
           context: ./ember/
           push: true
           tags: |
             ghcr.io/${{ github.repository }}/ember:${{ steps.semrel.outputs.version }}
             ghcr.io/${{ github.repository }}/ember:latest
 
+      - name: Run Trivy vulnerability scanner on api
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ghcr.io/${{ github.repository }}/api
+          format: "json"
+          output: "api.json"
+
+      - name: Run Trivy vulnerability scanner on ember
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ghcr.io/${{ github.repository }}/ember
+          format: "json"
+          output: "ember.json"
+
+      - name: Sign the image with GitHub OIDC Token using cosign
+        run: cosign sign --yes ${{ github.repository }}/${{ inputs.image-ref }}@latest
+        if: ${{ inputs.sign }}
+
+      - name: Convert api trivy results to CycloneDX
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: api.json
+          scan-type: "convert"
+          format: "cyclonedx"
+          # skip --vuln-type arg
+          vuln-type: ""
+          output: "api.cdx"
+
+      - name: Convert ember trivy results to CycloneDX
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ember.json
+          scan-type: "convert"
+          format: "cyclonedx"
+          # skip --vuln-type arg
+          vuln-type: ""
+          output: "ember.cdx"
+
+      - name: Attach an SBOM attestation to the signed api image
+        run: cosign attest --yes --type cyclonedx --predicate api.cdx ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
+
+      - name: Attach an SBOM attestation to the signed ember image
+        run: cosign attest --yes --type cyclonedx --predicate ember.cdx ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
+
       - name: Set up Helm
         if: steps.semrel.outputs.version != ''
         uses: azure/[email protected]
@@ -88,10 +134,12 @@ jobs:
     uses: ./.github/workflows/trivy-scan.yaml
     with:
       image-ref: api
+      attest: ${{ jobs.semrel.result == success }}
 
   trivy-scan-ember:
     if: always()
     needs: semrel
     uses: ./.github/workflows/trivy-scan.yaml
     with:
       image-ref: ember
+      attest: ${{ jobs.semrel.result == success }}
diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
@@ -14,11 +14,6 @@ on:
 
 jobs:
   trivy-scan:
-    permissions:
-      packages: write
-      security-events: write
-      id-token: write # needed for signing images with GitHub OIDC (cosign)
-
     runs-on: ubuntu-latest
     name: Scan ${{ inputs.image-ref }}
     steps:
@@ -56,6 +51,7 @@ jobs:
           sarif_file: "${{ inputs.image-ref }}.sarif"
 
       - name: Convert trivy results to cosign-vuln
+        if: ${{ inputs.attest }}
         uses: aquasecurity/[email protected]
         with:
           image-ref: ${{ inputs.image-ref }}.json