Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use SLSA attestations to attest to SBOMs #14438

Closed
laurentsimon opened this issue Jul 10, 2023 · 5 comments · Fixed by #14507
Closed

Use SLSA attestations to attest to SBOMs #14438

laurentsimon opened this issue Jul 10, 2023 · 5 comments · Fixed by #14507
Labels
enhancement New feature or request security Security related

Comments

@laurentsimon
Copy link
Contributor

laurentsimon commented Jul 10, 2023

Like other built artifacts, the SBOM can be attested to by SLSA attestations. (it's fairly common practice to attest to all built artifacts).

The project already attests to its binaries and container images via SLSA attestations, so should be easy to add the SBOMs.

I can send a PR updating the release workflow + documentation if you're interested.

@laurentsimon laurentsimon added the enhancement New feature or request label Jul 10, 2023
@crenshaw-dev
Copy link
Member

Yep, I'd love to see this!

@crenshaw-dev crenshaw-dev added the security Security related label Jul 11, 2023
@enteraga6
Copy link
Contributor

I am interested in taking up this issue. Should the SBOM SLSA provenance replace the Cosign signature or are both wanted? Thanks!

@crenshaw-dev
Copy link
Member

@34fathombelow do you have any preference?

@34fathombelow
Copy link
Member

@enteraga6 You can replace the Cosign signature with an attestation. The attestation will have have its own signature.

@enteraga6
Copy link
Contributor

@34fathombelow Got it. PR is here #14507

crenshaw-dev pushed a commit that referenced this issue Jul 17, 2023
* Add provenance generation for sbom

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* upload SBOM

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove cosign setup

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* include hashes in generate-sbom output

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Replace Cosign Verification command with SLSA command in docs

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove id-token write permission - no longer needed

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

---------

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
enteraga6 added a commit to enteraga6/argo-cd that referenced this issue Jul 17, 2023
…4507)

* Add provenance generation for sbom

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* upload SBOM

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove cosign setup

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* include hashes in generate-sbom output

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Replace Cosign Verification command with SLSA command in docs

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove id-token write permission - no longer needed

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

---------

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Signed-off-by: Noah Elzner <elzner@google.com>
crenshaw-dev pushed a commit that referenced this issue Jul 18, 2023
#14559)

* chore: Generate SLSA provenance for SBOM (#14438) (#14507)

* Add provenance generation for sbom

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* upload SBOM

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove cosign setup

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* include hashes in generate-sbom output

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Replace Cosign Verification command with SLSA command in docs

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove id-token write permission - no longer needed

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

---------

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Signed-off-by: Noah Elzner <elzner@google.com>

* change source tag in sbom verification command to v2.8.0

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

---------

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Signed-off-by: Noah Elzner <elzner@google.com>
Jneville0815 pushed a commit to radiusmethod/argo-cd that referenced this issue Jul 18, 2023
…4507)

* Add provenance generation for sbom

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* upload SBOM

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove cosign setup

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* include hashes in generate-sbom output

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Replace Cosign Verification command with SLSA command in docs

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove id-token write permission - no longer needed

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

---------

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Signed-off-by: Jimmy Neville <jimmyeneville@gmail.com>
yyzxw pushed a commit to yyzxw/argo-cd that referenced this issue Aug 9, 2023
…4507)

* Add provenance generation for sbom

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* upload SBOM

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove cosign setup

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* include hashes in generate-sbom output

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Replace Cosign Verification command with SLSA command in docs

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove id-token write permission - no longer needed

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

---------

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
tesla59 pushed a commit to tesla59/argo-cd that referenced this issue Dec 16, 2023
…4507)

* Add provenance generation for sbom

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* upload SBOM

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove cosign setup

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* include hashes in generate-sbom output

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Replace Cosign Verification command with SLSA command in docs

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

* Remove id-token write permission - no longer needed

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>

---------

Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request security Security related
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants