Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Container Signing for Docker Images (AST-51994) #877

Merged
merged 4 commits into from
Sep 18, 2024
Merged

Implement Container Signing for Docker Images (AST-51994) #877

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
05ba385
Implement Container Signing for Docker Images
elchananarb Sep 17, 2024
f7a97d9
add Verify Docker image signature
elchananarb Sep 18, 2024
963b68f
Merge branch 'main' into feature/elchanan/signing_docker_images
elchananarb Sep 18, 2024
b3f8592
Merge branch 'main' into feature/elchanan/signing_docker_images
elchananarb Sep 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,17 @@ jobs:
SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }}
SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} # Secret for Cosign private key
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} # Secret for Cosign password
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} # Secret for Cosign public key

- name: Verify Docker image signature
if: inputs.dev == false
run: |
echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
cosign verify --key cosign.pub checkmarx/ast-cli:${{ inputs.tag }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

notify:
runs-on: ubuntu-latest
Expand Down
16 changes: 16 additions & 0 deletions .goreleaser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,22 @@ builds:
- -w
- -X github.com/checkmarx/ast-cli/internal/params.Version={{.Version}}

docker_signs:
- id: ast-cli-signing
cmd: cosign
args:
- "sign"
- "--key-env=COSIGN_PRIVATE_KEY" # Private key from environment variable
- "${artifact}" # The artifact (image or manifest) to be signed
- "--yes" # Required for Cosign 2.0.0+
artifacts: images # Sign Docker images
stdin: "{{ .Env.COSIGN_PASSWORD }}" # Password from environment variable
env:
- COSIGN_PRIVATE_KEY={{ .Env.COSIGN_PRIVATE_KEY }} # Private key from GitHub Secrets
- COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }} # Password from GitHub Secrets
- COSIGN_PUBLIC_KEY={{ .Env.COSIGN_PUBLIC_KEY }} # Public key from GitHub Secrets
output: true

dockers:
- use: docker
dockerfile: Dockerfile
Expand Down
Loading