search

stacklok / minder

Software Supply Chain Security Platform
https://minder-docs.stacklok.dev/
Apache License 2.0
249 stars 35 forks source link

remediate: add artifact signature remediation #1079

Closed jhrozek closed 4 months ago

jhrozek commented 11 months ago

The idea is to add something like:

  - name: Sign the published Docker image
        if: ${{ github.event_name != 'pull_request' }} 
        # This step uses the identity token to provision an ephemeral
        # certificate against the sigstore community Fulcio instance.
        run: |
          # We should be able to get the following (registry, name, tag) from the failing policy, right?
          IMAGE_NAME=<registry>/<image-name>:<tag>
          # Image should be already present locally. If not, we should consider if we can end up in a situation where the image is built, but it is not pushed yet at this step?
          docker pull ${IMAGE_FULL_NAME}
          # Get digest
          IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME})
          # Sign the image. We can consider if we should use the IMAGE_NAME directly (works with cosign) in case we cannot guarantee the digest above to correspond to the image being built.
          cosign sign --yes ${IMAGE_DIGEST}

to the workflow that produces the container image we are checking.

evankanderson commented 4 months ago

This is tracked in https://github.com/stacklok/epics/181, and needs some design because updating the GitHub Actions is tricky.