Skip to content

Commit

Permalink
add SBOM to images (#730)
Browse files Browse the repository at this point in the history
* add SBOM to images
* attach attestation using cosign
* add container sbom verification to README.md
* add sbom attestation to release pipeline
* add trivy scan to release
  • Loading branch information
dtrai2 authored Dec 17, 2024
1 parent e668b17 commit ca065f9
Show file tree
Hide file tree
Showing 4 changed files with 102 additions and 17 deletions.
34 changes: 21 additions & 13 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,27 @@ jobs:
tags: |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Create SBOM of container image
uses: anchore/sbom-action@v0
with:
image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }}
artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json

- name: Sign image with a key and add sbom attestation
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}

# To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get date
id: date
Expand Down Expand Up @@ -167,16 +188,3 @@ jobs:
# So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db

- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Sign image with a key
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
38 changes: 37 additions & 1 deletion .github/workflows/publish-release-to-pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -96,10 +96,46 @@ jobs:
with:
cosign-release: 'v2.4.1'

- name: Sign image with a key
- name: Create SBOM of container image
uses: anchore/sbom-action@v0
with:
image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ steps.build-and-push.outputs.digest }}
artifact-name: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json
output-file: py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json

- name: Sign image with a key and add sbom attestation
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
cosign attest --yes --key env://COSIGN_PRIVATE_KEY --predicate py${{ matrix.python-version }}-${{ github.head_ref }}.spdx.json ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}

# To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get date
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT

- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-

- name: Scan image using Trivy
uses: aquasecurity/trivy-action@0.24.0
env:
TRIVY_CACHE_DIR: ./cache
with:
scan-type: image
image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
trivy-config: trivy.yaml

# Trivy-db uses `0600` permissions.
# But `action/cache` use `runner` user by default
# So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ the list is now fixed inside the packaged logprep
* remove `tldextract` dependency
* remove `urlextract` dependency
* fix wrong documentation for `timestamp_differ`
* add container signatures to image build inside ci pipeline
* add container signatures to images build in ci pipeline
* add sbom to images build in ci pipeline

### Bugfix

Expand Down
44 changes: 42 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ allowing further applications besides log handling.
- [Event Generation](https://logprep.readthedocs.io/en/latest/user_manual/execution.html#event-generation)
- [Documentation](https://logprep.readthedocs.io/en/latest)
- [Container signatures](https://github.com/fkie-cad/Logprep/blob/main/README.md#container-signatures)
- [Container SBOM](https://github.com/fkie-cad/Logprep/blob/main/README.md#container-sbom)
- [Contributing](https://github.com/fkie-cad/Logprep/blob/main/CONTRIBUTING.md)
- [License](https://github.com/fkie-cad/Logprep/blob/main/LICENSE)
- [Changelog](https://github.com/fkie-cad/Logprep/blob/main/CHANGELOG.md)
Expand Down Expand Up @@ -243,7 +244,8 @@ A HTML documentation can be then found in `doc/_build/html/index.html`.

## Container signatures

From release 15 on, Logprep containers are signed using the cosign tool.
From release 15 on, Logprep containers are signed using the
[cosign](https://github.com/sigstore/cosign) tool.
To verify the container, you can copy the following public key into a file
`logprep.pub`:

Expand All @@ -257,5 +259,43 @@ kVtARE+LJfSFI25BanOG9jaxxRGVt+Sa1KtQbMcy7Glxu0s7XgD9VFGjTA==
And use it to verify the signature:

```
cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:3.11-latest
cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:py3.11-latest
```

The output should look like:

```
Verification for ghcr.io/fkie-cad/logprep:py3.11-latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"ghcr.io/fkie-cad/logprep"}, ...
```

## Container SBOM

From release 15 on, Logprep container images are shipped with a generated sbom.
To verify the attestation and extract the SBOM use
[cosign](https://github.com/sigstore/cosign) with:

```
cosign verify-attestation --key logprep.pub ghcr.io/fkie-cad/logprep:py3.11-latest | jq '.payload | @base64d | fromjson | .predicate | .Data | fromjson' > sbom.json
```

The output should look like:

```
Verification for ghcr.io/fkie-cad/logprep:py3.11-latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
```

Finally, you can view the extracted sbom with:

```
cat sbom.json | jq
```

0 comments on commit ca065f9

Please sign in to comment.