Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Log monitor for Rekor to verify immutability and monitor entries

License

NotificationsYou must be signed in to change notification settings

sigstore/rekor-monitor

Rekor Log Monitor provides an easy-to-use monitor to verify log consistency,that the log is immutable and append-only. Monitoring is critical tothe transparency log ecosystem, as logs are tamper-evident but not tamper-proof.Rekor Log Monitor also provides a monitor to search for identities within a log,and send a list of found identities via various notification platforms.

Consistency check

To run, create a GitHub Actions workflow that uses thereusable monitoring workflow.It is recommended to run the log monitor every hour for optimal performance.

Example workflow:

name: Rekor log monitoron:  schedule:    - cron: '0 * * * *' # every hourpermissions: read-alljobs:  run_consistency_proof:    permissions:      contents: read # Needed to checkout repositories      issues: write # Needed if you set "file_issue: true"      id-token: write # Needed to detect the current reusable repository and ref    uses: sigstore/rekor-monitor/.github/workflows/reusable_monitoring.yml@main    with:      file_issue: true # Strongly recommended: Files an issue on monitoring failure      artifact_retention_days: 14 # Optional, default is 14: Must be longer than the cron job frequency

Caveats:

  • The log monitoring job should not be run concurrently with other log monitoring jobs in the same repository
  • If running as a cron job,artifact_retention_days must be longer than the cron job frequency

Identity monitoring

You can also specify a list of identities to monitor. Currently, only identities from the certificate'sSubject Alternative Name (SAN) field will be matched, and only for the hashedrekord Rekor entry type.

Note:certIdentities.certSubject,certIdentities.issuers andsubjects are expecting regular expression.Please readthis for syntax reference.

Note: The log monitor only starts monitoring from the latest checkpoint. If you want to search previousentries, you will need to query the log.

To run, create a GitHub Actions workflow that uses thereusable monitoring workflow.and passes the identities to monitor as part of theconfig input.It is recommended to run the log monitor every hour for optimal performance.

Example workflow below:

name: Rekor log and identity monitoron:  schedule:    - cron: '0 * * * *' # every hourpermissions: read-alljobs:  run_consistency_proof:    permissions:      contents: read # Needed to checkout repositories      issues: write # Needed if you set "file_issue: true"      id-token: write # Needed to detect the current reusable repository and ref    uses: sigstore/rekor-monitor/.github/workflows/reusable_monitoring.yaml@main    with:      file_issue: true # Strongly recommended: Files an issue on monitoring failure      artifact_retention_days: 14 # Optional, default is 14: Must be longer than the cron job frequency      config: |        monitoredValues:          certIdentities:            - certSubject: user@domain\.com            - certSubject: otheruser@domain\.com              issuers:                - https://accounts\.google\.com                - https://github\.com/login            - certSubject: https://github\.com/actions/starter-workflows/blob/main/\.github/workflows/lint\.yaml@.*              issuers:                - https://token\.actions\.githubusercontent\.com          subjects:            - subject@domain\.com          fingerprints:            - A0B1C2D3E4F5          fulcioExtensions:            build-config-uri:              - https://example.com/owner/repository/build-config.yml          customExtensions:            - objectIdentifier: 1.3.6.1.4.1.57264.1.9              extensionValues: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0

In this example, the monitor will log:

  • Entries that contain a certificate whose SAN isuser@domain.com
  • Entries whose SAN isotheruser@domain.com and the OIDC provider specified in acustom extension matches one of the specified issuers (Google or GitHub in this example)
  • Entries whose SAN start byhttps://github.com/actions/starter-workflows/blob/main/.github/workflows/lint.yaml@ and the OIDC provider matcheshttps://token.actions.githubusercontent.com
  • Non-certificate entries, such as PGP or SSH keys, whose subject matchessubject@domain.com
  • Entries whose key or certificate fingerprint matchesA0B1C2D3E4F5
  • Entries that contain a certificate with a Build Config URI Extension matchinghttps://example.com/owner/repository/build-config.yml
  • Entries that contain a certificate with OID extension1.3.6.1.4.1.57264.1.9 (Fulcio OID for Build Signer URI) and an extension value matchinghttps://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0

Fingerprint values are as follows:

  • For keys, certificates, and minisign, hex-encoded SHA-256 digest of the DER-encoded PKIX public key or certificate
  • For SSH and PGP, the standard for each ecosystem:
    • For SSH, unpadded base-64 encoded SHA-256 digest of the key
      • For PGP, hex-encoded SHA-1 digest of a key, which can be either a primary key or subkey

Upcoming features:

  • Creating issues when identities are found
  • Support for other identities
    • CI identity values in Fulcio certificates

Certificate transparency log monitoring

Certificate transparency log instances can also be monitored. To run, create a GitHub Actions workflow that uses thereusable certificate transparency log monitoring workflow.It is recommended to run the log monitor every hour for optimal performance.

Example workflow below:

name: Fulcio log and identity monitoron:  schedule:    - cron: '0 * * * *' # every hourpermissions: read-alljobs:  run_consistency_proof:    permissions:      contents: read # Needed to checkout repositories      issues: write # Needed if you set "file_issue: true"      id-token: write # Needed to detect the current reusable repository and ref    uses: sigstore/rekor-monitor/.github/workflows/reusable_monitoring.yaml@main    with:      file_issue: true # Strongly recommended: Files an issue on monitoring failure      artifact_retention_days: 14 # Optional, default is 14: Must be longer than the cron job frequency      identities: |        certIdentities:          - certSubject: user@domain\.com          - certSubject: otheruser@domain\.com            issuers:              - https://accounts\.google\.com              - https://github\.com/login          - certSubject: https://github\.com/actions/starter-workflows/blob/main/\.github/workflows/lint\.yaml@.*            issuers:              - https://token\.actions\.githubusercontent\.com        fulcioExtensions:          build-config-uri:            - https://example.com/owner/repository/build-config.yml        customExtensions:          - objectIdentifier: 1.3.6.1.4.1.57264.1.9            extensionValues: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0

Security

Please report any vulnerabilities following Sigstore'ssecurity process.

About

Log monitor for Rekor to verify immutability and monitor entries

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors21

Languages

[8]ページ先頭
©2009-2025 Movatter.jp