mirror of
https://github.com/securego/gosec.git
synced 2024-12-24 11:35:52 +00:00
Extend the release action to sign the docker image and binary files with cosign (#781)
* Extend the release action to sign the docker image and binary files with cosign * Fix lint warnings * Fix the ling warnings * Fix the lint warnings
This commit is contained in:
parent
7d539ed494
commit
26f10e0a7a
6 changed files with 68 additions and 17 deletions
52
.github/workflows/release.yml
vendored
52
.github/workflows/release.yml
vendored
|
@ -18,27 +18,57 @@ jobs:
|
|||
uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.17
|
||||
- name : Get release version
|
||||
id: get_version
|
||||
run: echo ::set-env name=RELEASE_VERSION::$(echo ${GITHUB_REF:10})
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@main
|
||||
with:
|
||||
cosign-release: 'v1.5.2'
|
||||
- name: Store Cosign private key in a file
|
||||
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
|
||||
shell: bash
|
||||
env:
|
||||
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v1
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
- name: Login to DockerHub
|
||||
uses: docker/login-action@v1
|
||||
with:
|
||||
username: ${{secrets.DOCKER_USERNAME}}
|
||||
password: ${{secrets.DOCKER_PASSWORD}}
|
||||
- name: Generate SBOM
|
||||
uses: CycloneDX/gh-gomod-generate-sbom@v1
|
||||
with:
|
||||
version: v1
|
||||
args: mod -licenses -json -output bom.json
|
||||
- name: Docker meta
|
||||
uses: docker/metadata-action@v3
|
||||
id: meta
|
||||
with:
|
||||
images: securego/gosec
|
||||
flavor: |
|
||||
latest=true
|
||||
tags: |
|
||||
type=sha,format=long
|
||||
type=semver,pattern={{version}}
|
||||
- name: Release Binaries
|
||||
uses: goreleaser/goreleaser-action@v2
|
||||
with:
|
||||
version: latest
|
||||
args: release --rm-dist
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
||||
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
|
||||
- name: Release Docker Image
|
||||
uses: elgohr/Publish-Docker-Github-Action@master
|
||||
uses: docker/build-push-action@v2
|
||||
with:
|
||||
name: securego/gosec
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
buildargs: GO_VERSION=1.17
|
||||
tags: "latest,${{ env.RELEASE_VERSION }}"
|
||||
tag_names: true
|
||||
platforms: linux/amd64,linux/arm/v7,linux/arm64
|
||||
tags: ${{steps.meta.outputs.tags}}
|
||||
labels: ${{steps.meta.outputs.labels}}
|
||||
push: true
|
||||
build-args: GO_VERSION=1.17
|
||||
- name: Sign Docker Image
|
||||
run: cosign sign -key /tmp/cosign.key ${TAGS}
|
||||
env:
|
||||
TAGS: ${{steps.meta.outputs.tags}}
|
||||
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
|
||||
|
|
|
@ -9,7 +9,7 @@ release:
|
|||
name: gosec
|
||||
|
||||
builds:
|
||||
- main : ./cmd/gosec/
|
||||
- main: ./cmd/gosec/
|
||||
binary: gosec
|
||||
goos:
|
||||
- darwin
|
||||
|
@ -21,3 +21,10 @@ builds:
|
|||
ldflags: -X main.Version={{.Version}} -X main.GitTag={{.Tag}} -X main.BuildDate={{.Date}}
|
||||
env:
|
||||
- CGO_ENABLED=0
|
||||
|
||||
signs:
|
||||
- cmd: cosign
|
||||
stdin: '{{ .Env.COSIGN_PASSWORD}}'
|
||||
args: ["sign-blob", "--key=/tmp/cosign.key", "--output=${signature}", "${artifact}"]
|
||||
artifacts: all
|
||||
|
||||
|
|
15
README.md
15
README.md
|
@ -407,6 +407,19 @@ git push origin v1.0.0
|
|||
The GitHub [release workflow](.github/workflows/release.yml) triggers immediately after the tag is pushed upstream. This flow will
|
||||
release the binaries using the [goreleaser](https://goreleaser.com/actions/) action and then it will build and publish the docker image into Docker Hub.
|
||||
|
||||
The released artifacts are signed using [cosign](https://docs.sigstore.dev/). You can use the public key from [cosign.pub](cosign.pub)
|
||||
file to verify the signature of docker image and binaries files.
|
||||
|
||||
The docker image signature can be verified with the following command:
|
||||
```
|
||||
cosign verify --key cosign.pub securego/gosec:<TAG>
|
||||
```
|
||||
|
||||
The binary files signature can be verified with the following command:
|
||||
```
|
||||
cosign verify-blob --key cosign.pub --signature gosec_<VERSION>_darwin_amd64.tar.gz.sig gosec_<VERSION>_darwin_amd64.tar.gz
|
||||
```
|
||||
|
||||
### Docker image
|
||||
|
||||
You can also build locally the docker image by using the command:
|
||||
|
@ -450,4 +463,4 @@ This is a [list](USERS.md) with some of the gosec's users.
|
|||
|
||||
Support this project by becoming a sponsor. Your logo will show up here with a link to your website
|
||||
|
||||
<a href="https://github.com/mercedes-benz" target="_blank"><img src="https://avatars.githubusercontent.com/u/34240465?s=80&v=4"></a>
|
||||
<a href="https://github.com/mercedes-benz" target="_blank"><img src="https://avatars.githubusercontent.com/u/34240465?s=80&v=4"></a>
|
||||
|
|
4
cosign.pub
Normal file
4
cosign.pub
Normal file
|
@ -0,0 +1,4 @@
|
|||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFphl7f2VuFRfsi4wqiLUCQ9xHQgV
|
||||
O2VMDNcvh+kxiymLXa+GkPzSKExFYIlVwfg13URvCiB+kFvITmLzuLiGQg==
|
||||
-----END PUBLIC KEY-----
|
|
@ -1,7 +1,6 @@
|
|||
package html
|
||||
|
||||
import (
|
||||
|
||||
// use go embed to import template
|
||||
_ "embed"
|
||||
"html/template"
|
||||
|
|
|
@ -3,9 +3,7 @@ package text
|
|||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
|
||||
// use go embed to import template
|
||||
_ "embed"
|
||||
_ "embed" // use go embed to import template
|
||||
"fmt"
|
||||
"io"
|
||||
"strconv"
|
||||
|
|
Loading…
Reference in a new issue