Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0ea76fe

Browse files
committed
chore: add syft and cosign for sbom attestation
Change-Id: I3f9b6e0447713eb16e50af9b1645d6cacf1af9faSigned-off-by: Thomas Kosiewski <tk@coder.com>
1 parente8d3caf commit0ea76fe

File tree

6 files changed

+53
-21
lines changed

6 files changed

+53
-21
lines changed

‎.github/workflows/ci.yaml‎

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1024,6 +1024,7 @@ jobs:
10241024
# Necessary to push docker images to ghcr.io.
10251025
packages:write
10261026
# Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
1027+
# Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
10271028
id-token:write
10281029
env:
10291030
DOCKER_CLI_EXPERIMENTAL:"enabled"
@@ -1069,6 +1070,16 @@ jobs:
10691070
-name:Install zstd
10701071
run:sudo apt-get install -y zstd
10711072

1073+
-name:Install cosign
1074+
uses:sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a# v3.8.1
1075+
with:
1076+
cosign-release:"v2.4.3"
1077+
1078+
-name:Install syft
1079+
uses:anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0# v0.18.0
1080+
with:
1081+
syft-version:"v1.20.0"
1082+
10721083
-name:Setup Windows EV Signing Certificate
10731084
run:|
10741085
set -euo pipefail

‎.github/workflows/release.yaml‎

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,7 @@ jobs:
122122
# Necessary to push docker images to ghcr.io.
123123
packages:write
124124
# Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
125+
# Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
125126
id-token:write
126127
env:
127128
# Necessary for Docker manifest
@@ -246,6 +247,16 @@ jobs:
246247
apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
247248
rm /tmp/rcodesign.tar.gz
248249
250+
-name:Install cosign
251+
uses:sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a# v3.8.1
252+
with:
253+
cosign-release:"v2.4.3"
254+
255+
-name:Install syft
256+
uses:anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0# v0.18.0
257+
with:
258+
syft-version:"v1.20.0"
259+
249260
-name:Setup Apple Developer certificate and API key
250261
run:|
251262
set -euo pipefail

‎dogfood/coder/Dockerfile‎

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -278,7 +278,9 @@ ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \
278278
KUBECTX_VERSION=0.9.4 \
279279
STRIPE_VERSION=1.14.5 \
280280
TERRAGRUNT_VERSION=0.45.11 \
281-
TRIVY_VERSION=0.41.0
281+
TRIVY_VERSION=0.41.0 \
282+
SYFT_VERSION=1.20.0 \
283+
COSIGN_VERSION=2.4.3
282284

283285
# cloud_sql_proxy, for connecting to cloudsql instances
284286
# the upstream go.mod prevents this from being installed with go install
@@ -316,7 +318,13 @@ RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_prox
316318
chmod a=rx /usr/local/bin/terragrunt && \
317319
# AquaSec Trivy for scanning container images for security issues
318320
curl --silent --show-error --location"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | \
319-
tar --extract --gzip --directory=/usr/local/bin --file=- trivy
321+
tar --extract --gzip --directory=/usr/local/bin --file=- trivy && \
322+
# Anchore Syft for SBOM generation
323+
curl --silent --show-error --location"https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux-amd64.tar.gz" | \
324+
tar --extract --gzip --directory=/usr/local/bin --file=- syft \
325+
# Sigstore Cosign for artifact signing and attestation
326+
curl --silent --show-error --location --output /usr/local/bin/cosign"https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \
327+
chmod a=rx /usr/local/bin/cosign
320328

321329
# We use yq during "make deploy" to manually substitute out fields in
322330
# our helm values.yaml file. See https://github.com/helm/helm/issues/3141

‎flake.nix‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,7 @@
113113
bat
114114
cairo
115115
curl
116+
cosign
116117
delve
117118
dive
118119
drpc.defaultPackage.${system}
@@ -161,6 +162,7 @@
161162
shellcheck
162163
(pinnedPkgs.shfmt)
163164
sqlc
165+
syft
164166
unstablePkgs.terraform
165167
typos
166168
which

‎scripts/build_docker.sh‎

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -136,12 +136,10 @@ fi
136136

137137
log"--- Building Docker image for$arch ($image_tag)"
138138

139-
dockerbuildxbuild \
139+
docker build \
140140
--platform"$arch" \
141141
--build-arg"BASE_IMAGE=$base_image" \
142142
--build-arg"CODER_VERSION=$version" \
143-
--provenancetrue \
144-
--sbomtrue \
145143
--no-cache \
146144
--tag"$image_tag" \
147145
-f Dockerfile \
@@ -155,4 +153,17 @@ if [[ "$push" == 1 ]]; then
155153
docker push"$image_tag"1>&2
156154
fi
157155

156+
log"--- Generating SBOM for Docker image ($image_tag)"
157+
syft"$image_tag" -o spdx-json>"${image_tag}.spdx.json"
158+
159+
if [["$push"== 1 ]];then
160+
log"--- Attesting SBOM to Docker image for$arch ($image_tag)"
161+
COSIGN_EXPERIMENTAL=1 cosign clean"$image_tag"
162+
163+
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
164+
--predicate"${image_tag}.spdx.json" \
165+
--yes \
166+
"$image_tag"
167+
fi
168+
158169
echo"$image_tag"

‎scripts/build_docker_multiarch.sh‎

Lines changed: 5 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -77,24 +77,13 @@ done
7777

7878
# Sadly, manifests don't seem to support labels.
7979
log"--- Creating multi-arch Docker image ($target)"
80-
81-
# Create a buildx builder instance if it doesn't exist
82-
if! docker buildx inspect multiarch-builder&>/dev/null;then
83-
docker buildx create --name multiarch-builder --use
84-
fi
85-
86-
# Create manifest with buildx imagetools
87-
log"--- Creating multi-arch manifest with attestations"
88-
89-
# For images with attestations, we preserve the entire structure by using image tags directly,
90-
# letting Docker handle retrieving both the architecture manifests and attestation manifests
91-
docker buildx imagetools create --tag"$target""$@"
80+
docker manifest create \
81+
"$target" \
82+
"${create_args[@]}"
9283

9384
if [["$push"== 1 ]];then
94-
log"--- Verifying multi-arch Docker image ($target)"
95-
# The manifest is already created and pushed when using buildx imagetools create
96-
# We just need to verify it exists
97-
docker buildx imagetools inspect"$target"
85+
log"--- Pushing multi-arch Docker image ($target)"
86+
docker manifest push"$target"
9887
fi
9988

10089
echo"$target"

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp