From 26f10e0a7ab6e0bfb561af1757e17243edaf93ec Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Tue, 22 Feb 2022 21:33:42 +0100 Subject: [PATCH] Extend the release action to sign the docker image and binary files with cosign (#781) * Extend the release action to sign the docker image and binary files with cosign * Fix lint warnings * Fix the ling warnings * Fix the lint warnings --- .github/workflows/release.yml | 52 +++++++++++++++++++++++++++-------- .goreleaser.yml | 9 +++++- README.md | 15 +++++++++- cosign.pub | 4 +++ report/html/writer.go | 1 - report/text/writer.go | 4 +-- 6 files changed, 68 insertions(+), 17 deletions(-) create mode 100644 cosign.pub diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 56b0848..63d812b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,27 +18,57 @@ jobs: uses: actions/setup-go@v2 with: go-version: 1.17 - - name : Get release version - id: get_version - run: echo ::set-env name=RELEASE_VERSION::$(echo ${GITHUB_REF:10}) + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.5.2' + - name: Store Cosign private key in a file + run: 'echo "$COSIGN_KEY" > /tmp/cosign.key' + shell: bash + env: + COSIGN_KEY: ${{secrets.COSIGN_KEY}} + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{secrets.DOCKER_USERNAME}} + password: ${{secrets.DOCKER_PASSWORD}} - name: Generate SBOM uses: CycloneDX/gh-gomod-generate-sbom@v1 with: version: v1 args: mod -licenses -json -output bom.json + - name: Docker meta + uses: docker/metadata-action@v3 + id: meta + with: + images: securego/gosec + flavor: | + latest=true + tags: | + type=sha,format=long + type=semver,pattern={{version}} - name: Release Binaries uses: goreleaser/goreleaser-action@v2 with: version: latest args: release --rm-dist env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} - name: Release Docker Image - uses: elgohr/Publish-Docker-Github-Action@master + uses: docker/build-push-action@v2 with: - name: securego/gosec - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - buildargs: GO_VERSION=1.17 - tags: "latest,${{ env.RELEASE_VERSION }}" - tag_names: true + platforms: linux/amd64,linux/arm/v7,linux/arm64 + tags: ${{steps.meta.outputs.tags}} + labels: ${{steps.meta.outputs.labels}} + push: true + build-args: GO_VERSION=1.17 + - name: Sign Docker Image + run: cosign sign -key /tmp/cosign.key ${TAGS} + env: + TAGS: ${{steps.meta.outputs.tags}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} diff --git a/.goreleaser.yml b/.goreleaser.yml index 300f4b4..539be56 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -9,7 +9,7 @@ release: name: gosec builds: - - main : ./cmd/gosec/ + - main: ./cmd/gosec/ binary: gosec goos: - darwin @@ -21,3 +21,10 @@ builds: ldflags: -X main.Version={{.Version}} -X main.GitTag={{.Tag}} -X main.BuildDate={{.Date}} env: - CGO_ENABLED=0 + +signs: +- cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD}}' + args: ["sign-blob", "--key=/tmp/cosign.key", "--output=${signature}", "${artifact}"] + artifacts: all + diff --git a/README.md b/README.md index 49b7408..772e124 100644 --- a/README.md +++ b/README.md @@ -407,6 +407,19 @@ git push origin v1.0.0 The GitHub [release workflow](.github/workflows/release.yml) triggers immediately after the tag is pushed upstream. This flow will release the binaries using the [goreleaser](https://goreleaser.com/actions/) action and then it will build and publish the docker image into Docker Hub. +The released artifacts are signed using [cosign](https://docs.sigstore.dev/). You can use the public key from [cosign.pub](cosign.pub) +file to verify the signature of docker image and binaries files. + +The docker image signature can be verified with the following command: +``` +cosign verify --key cosign.pub securego/gosec: +``` + +The binary files signature can be verified with the following command: +``` +cosign verify-blob --key cosign.pub --signature gosec__darwin_amd64.tar.gz.sig gosec__darwin_amd64.tar.gz +``` + ### Docker image You can also build locally the docker image by using the command: @@ -450,4 +463,4 @@ This is a [list](USERS.md) with some of the gosec's users. Support this project by becoming a sponsor. Your logo will show up here with a link to your website - \ No newline at end of file + diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..c6fd559 --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFphl7f2VuFRfsi4wqiLUCQ9xHQgV +O2VMDNcvh+kxiymLXa+GkPzSKExFYIlVwfg13URvCiB+kFvITmLzuLiGQg== +-----END PUBLIC KEY----- diff --git a/report/html/writer.go b/report/html/writer.go index 36b2f94..125b7cd 100644 --- a/report/html/writer.go +++ b/report/html/writer.go @@ -1,7 +1,6 @@ package html import ( - // use go embed to import template _ "embed" "html/template" diff --git a/report/text/writer.go b/report/text/writer.go index 08698ea..2ea8d7c 100644 --- a/report/text/writer.go +++ b/report/text/writer.go @@ -3,9 +3,7 @@ package text import ( "bufio" "bytes" - - // use go embed to import template - _ "embed" + _ "embed" // use go embed to import template "fmt" "io" "strconv"