Skip to content

Commit

Permalink
Sign main branch Unified container builds with cosign and perform sec…
Browse files Browse the repository at this point in the history
…urity scanning
  • Loading branch information
withinfocus committed Dec 13, 2024
1 parent 624d0e3 commit a6dc5f1
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 0 deletions.
35 changes: 35 additions & 0 deletions .github/workflows/build-cli-docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ jobs:
build-docker:
name: Build Docker image
runs-on: ubuntu-22.04
permissions:
security-events: write
id-token: write

steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand Down Expand Up @@ -86,6 +90,7 @@ jobs:
fi
- name: Build and push Docker image
id: build-docker
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
Expand All @@ -98,6 +103,36 @@ jobs:
secrets: |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
- name: Install Cosign
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

- name: Sign image with Cosign
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
env:
DIGEST: ${{ steps.build-docker.outputs.digest }}
TAGS: ${{ steps.tag-list.outputs.tags }}
run: |
IFS="," read -a tags <<< "${TAGS}"
images=""
for tag in "${tags[@]}"; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
- name: Scan Docker image
id: container-scan
uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
with:
image: ${{ steps.tag-list.outputs.primary_tag }}
fail-build: false
output-format: sarif

- name: Upload Grype results to GitHub
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
sarif_file: ${{ steps.container-scan.outputs.sarif }}

- name: Log out of Docker and disable Docker Notary
if: ${{ env.is_publish_branch == 'true' }}
run: |
Expand Down
33 changes: 33 additions & 0 deletions .github/workflows/publish-bws.yml
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,11 @@ jobs:
publish-docker:
name: Publish docker versioned and latest image
runs-on: ubuntu-22.04
permissions:
security-events: write
id-token: write
needs: setup

steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand Down Expand Up @@ -171,6 +175,7 @@ jobs:
azure-keyvault-name: "bitwarden-ci"

- name: Build and push Docker image
id: build-docker
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
Expand All @@ -183,6 +188,34 @@ jobs:
secrets: |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

- name: Sign image with Cosign
env:
DIGEST: ${{ steps.build-docker.outputs.digest }}
TAGS: ${{ steps.tag-list.outputs.tags }}
run: |
IFS="," read -a tags <<< "${TAGS}"
images=""
for tag in "${tags[@]}"; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
- name: Scan Docker image
id: container-scan
uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
with:
image: ${{ steps.tag-list.outputs.primary_tag }}
fail-build: false
output-format: sarif

- name: Upload Grype results to GitHub
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
sarif_file: ${{ steps.container-scan.outputs.sarif }}

- name: Log out of Docker and disable Docker Notary
if: ${{ inputs.release_type != 'Dry Run' }}
run: |
Expand Down

0 comments on commit a6dc5f1

Please sign in to comment.