Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update golang image sha #1407

Merged
merged 4 commits into from
Dec 27, 2022
Merged

Update golang image sha #1407

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
627f27c
Update golang image sha
ianlewis Dec 22, 2022
0eab55e
grep only specific output
ianlewis Dec 22, 2022
595ada1
Parse the JSON output
ianlewis Dec 22, 2022
ed003af
Merge branch 'main' into update-golang-sha
laurentsimon Dec 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/detect-workflow/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM golang:1.19.4@sha256:cfaad8202aed5121121dfe3a252e98d5c89cc67fc456cc69fe70eb7dcc1b8cff as builder
FROM golang:1.19.4@sha256:941582ed5a1189ce2c8cf6a806cfb8f5924694e1f58856869f98364315de6231 as builder

WORKDIR /app
COPY . /app
Expand Down
23 changes: 12 additions & 11 deletions .github/workflows/scripts/verify-base-images.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,28 +17,29 @@ set -euo pipefail

# NOTE: Use read to avoid whitespace issues.
find . \( ! -name vendor -o -prune \) \( ! -name node_modules -o -prune \) -type f -name Dockerfile -print0 | while IFS= read -r -d '' f; do
echo "Checking $f"
grep "^FROM " "$f" | while IFS= read -r line; do
image_full=$(echo "$line" | awk '{ print $2 }')
image_name=$(echo "$image_full" | cut -d '@' -f 1)
image_sha=$(echo "$image_full" | cut -d '@' -f 2- | cut -d ':' -f 2-)
echo "Checking ${f}"
grep "^FROM " "${f}" | while IFS= read -r line; do
image_full=$(echo "${line}" | awk '{ print $2 }')
image_name=$(echo "${image_full}" | cut -d '@' -f 1 | cut -d ':' -f 1)
image_tag=$(echo "${image_full}" | cut -d '@' -f 1 | cut -d ':' -f 2)
image_sha=$(echo "${image_full}" | cut -d '@' -f 2- | cut -d ':' -f 2-)

echo "Verifying base image $image_full"
echo "Verifying base image ${image_full}"

# verify that the image contains a sha.
if [ "$image_sha" == "" ]; then
echo "\"$image_full\" should be referenced by digest."
if [ "${image_sha}" == "" ]; then
echo "\"${image_full}\" should be referenced by digest."
exit 2
fi

# verify distroless base images.
if [[ "$image_name" == gcr.io/distroless/* ]]; then
if [[ "${image_name}" == gcr.io/distroless/* ]]; then
# verify the image signature.
cosign verify --key .github/workflows/scripts/distroless.pub "$image_full"
else
# All other base images should be signed using Docker Content Trust.
if ! (DOCKER_CONTENT_TRUST=1 docker trust inspect --pretty "$image_name" | grep "$image_sha"); then
echo "$image_full: unable to verify Docker Content Trust."
if ! (DOCKER_CONTENT_TRUST=1 docker trust inspect "${image_name}:${image_tag}" | jq -r ".[].SignedTags | .[] | select(.SignedTag == \"${image_tag}\") | .Digest" | grep "${image_sha}"); then
echo "${image_full}: unable to verify Docker Content Trust."
exit 2
fi
fi
Expand Down