From a6dc5f19d743802bc5acc725ba9018e0baf7b4e0 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Fri, 13 Dec 2024 15:31:26 -0500 Subject: [PATCH] Sign main branch Unified container builds with cosign and perform security scanning --- .github/workflows/build-cli-docker.yml | 35 ++++++++++++++++++++++++++ .github/workflows/publish-bws.yml | 33 ++++++++++++++++++++++++ 2 files changed, 68 insertions(+) diff --git a/.github/workflows/build-cli-docker.yml b/.github/workflows/build-cli-docker.yml index d01e81256..ec1391263 100644 --- a/.github/workflows/build-cli-docker.yml +++ b/.github/workflows/build-cli-docker.yml @@ -14,6 +14,10 @@ jobs: build-docker: name: Build Docker image runs-on: ubuntu-22.04 + permissions: + security-events: write + id-token: write + steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -86,6 +90,7 @@ jobs: fi - name: Build and push Docker image + id: build-docker uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . @@ -98,6 +103,36 @@ jobs: secrets: | "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" + - name: Install Cosign + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + + - name: Sign image with Cosign + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' + env: + DIGEST: ${{ steps.build-docker.outputs.digest }} + TAGS: ${{ steps.tag-list.outputs.tags }} + run: | + IFS="," read -a tags <<< "${TAGS}" + images="" + for tag in "${tags[@]}"; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + + - name: Scan Docker image + id: container-scan + uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0 + with: + image: ${{ steps.tag-list.outputs.primary_tag }} + fail-build: false + output-format: sarif + + - name: Upload Grype results to GitHub + uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + with: + sarif_file: ${{ steps.container-scan.outputs.sarif }} + - name: Log out of Docker and disable Docker Notary if: ${{ env.is_publish_branch == 'true' }} run: | diff --git a/.github/workflows/publish-bws.yml b/.github/workflows/publish-bws.yml index 99b874ae0..5ba743ab2 100644 --- a/.github/workflows/publish-bws.yml +++ b/.github/workflows/publish-bws.yml @@ -115,7 +115,11 @@ jobs: publish-docker: name: Publish docker versioned and latest image runs-on: ubuntu-22.04 + permissions: + security-events: write + id-token: write needs: setup + steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -171,6 +175,7 @@ jobs: azure-keyvault-name: "bitwarden-ci" - name: Build and push Docker image + id: build-docker uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . @@ -183,6 +188,34 @@ jobs: secrets: | "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" + - name: Install Cosign + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + + - name: Sign image with Cosign + env: + DIGEST: ${{ steps.build-docker.outputs.digest }} + TAGS: ${{ steps.tag-list.outputs.tags }} + run: | + IFS="," read -a tags <<< "${TAGS}" + images="" + for tag in "${tags[@]}"; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + + - name: Scan Docker image + id: container-scan + uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0 + with: + image: ${{ steps.tag-list.outputs.primary_tag }} + fail-build: false + output-format: sarif + + - name: Upload Grype results to GitHub + uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + with: + sarif_file: ${{ steps.container-scan.outputs.sarif }} + - name: Log out of Docker and disable Docker Notary if: ${{ inputs.release_type != 'Dry Run' }} run: |