forked from external-secrets/external-secrets
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: attach sbom/provenance files to GH release, fix clomonitor (ext…
…ernal-secrets#1656) * feat: attach sbom/provenance files to GH release, fix clomonitor Signed-off-by: Moritz Johner <[email protected]> * fix: remove codesee Signed-off-by: Moritz Johner <[email protected]> Signed-off-by: Moritz Johner <[email protected]>
- Loading branch information
Showing
6 changed files
with
30 additions
and
92 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| licenseScanning: | ||
| # License scanning of dependencies is done from a GitHub Action. | ||
| # You can view the latest results on the main branch following this link | ||
| url: https://github.com/external-secrets/external-secrets/actions/workflows/dlc.yml?query=branch%3Amain |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| * @external-secrets/maintainers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -67,28 +67,30 @@ runs: | |
|
|
||
| - name: Attach SBOM to image | ||
| shell: bash | ||
| id: sbom | ||
| env: | ||
| COSIGN_EXPERIMENTAL: "1" | ||
| run: | | ||
| syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom-spdx.json | ||
| cosign attest --predicate sbom-spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" | ||
| syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json | ||
| cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" | ||
| cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson' | ||
| - name: Generate provenance | ||
| uses: philips-labs/[email protected] | ||
| with: | ||
| command: generate | ||
| subcommand: container | ||
| arguments: --repository "${{ inputs.image-name }}" --output-path provenance.att --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}" | ||
| arguments: --repository "${{ inputs.image-name }}" --output-path provenance.${{ inputs.image-tag }}.intoto.jsonl --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}" | ||
| env: | ||
| COSIGN_EXPERIMENTAL: "0" | ||
| GITHUB_TOKEN: "${{ inputs.GITHUB_TOKEN }}" | ||
|
|
||
| - name: Attach provenance | ||
| shell: bash | ||
| id: provenance | ||
| env: | ||
| COSIGN_EXPERIMENTAL: "1" | ||
| run: | | ||
| jq '.predicate' provenance.att > provenance-predicate.att | ||
| jq '.predicate' provenance.${{ inputs.image-tag }}.intoto.jsonl > provenance-predicate.att | ||
| cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" | ||
| cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | ||
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -44,10 +44,17 @@ Anyone is welcome to join. Feel free to ask questions, request feedback, raise a | |
|
|
||
| Please report vulnerabilities by email to [email protected]. Also see our [SECURITY.md file](SECURITY.md) for details. | ||
|
|
||
| ## software bill of materials | ||
| We attach SBOM and provenance file to our GitHub release. Also, they are attached to container images. | ||
|
|
||
| ## Adopters | ||
|
|
||
| Please create a PR and add your company or project to our [ADOPTERS.md file](ADOPTERS.md) if you are using our project! | ||
|
|
||
| ## Roadmap | ||
|
|
||
| You can find the roadmap in our documentation: https://external-secrets.io/main/contributing/roadmap/ | ||
|
|
||
| ## Kicked off by | ||
|
|
||
|  | ||
|
|
||