Merge pull request #2438 from ShubhamPalriwala/sign-and-generate-sbom

Sign images and generate and sign SBOM

.github/workflows/image.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+
       - name: login to GitHub Container Registry
         run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
 
@@ -31,6 +36,11 @@ jobs:
         run: |
           make docker-publish-initContainer
 
+      - name: Sign image
+        run: |
+          KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
+          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION}
+
   push-kyverno:
     runs-on: ubuntu-latest
     steps:
@@ -45,6 +55,11 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+
       - name: login to GitHub Container Registry
         run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
 
@@ -58,6 +73,11 @@ jobs:
         run: |
           make docker-publish-kyverno
 
+      - name: Sign image
+        run: |
+          KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
+          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION}
+
   push-kyverno-cli:
     runs-on: ubuntu-latest
     steps:
@@ -72,6 +92,11 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+
       - name: login to GitHub Container Registry
         run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
 
@@ -83,4 +108,9 @@ jobs:
 
       - name: docker images publish
         run: |
-          make docker-publish-cli
+          make docker-publish-cli
+
+      - name: Sign image
+        run: |
+          KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
+          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/-cli:${KYVERNO_IMAGE_VERSION}

.github/workflows/release.yaml

@@ -17,6 +17,11 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+
       - name: Cache Go modules
         uses: actions/cache@v1
         with:
@@ -40,10 +45,18 @@ jobs:
         with:
           install: true
 
+      - name: Set version
+        run: |
+          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
+
       - name :  docker images publish
         run: |
           make docker-publish-initContainer
 
+      - name: Sign image
+        run: |
+          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_VERSION}
+
   release-kyverno:
     runs-on: ubuntu-latest
     steps:
@@ -57,6 +70,11 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+
       - name: Cache Go modules
         uses: actions/cache@v1
         with:
@@ -80,10 +98,31 @@ jobs:
         with:
           install: true
 
+      - name: Set version
+        run: |
+          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
+
+      - name: Generate SBOM JSON
+        uses: CycloneDX/gh-gomod-generate-sbom@v0.3.0
+        with:
+          json: true
+          output: kyverno-v${{ env.KYVERNO_VERSION }}-bom.cdx.json
+          resolve-licenses: true
+          version: ^v0
+      - uses: actions/upload-artifact@v2
+        with:
+          name: kyverno-bom-cdx
+          path: kyverno-v*-bom.cdx.json
+
       - name :  docker images publish
         run: |
           make docker-publish-kyverno
 
+      - name: Sign image and SBOM
+        run: |
+          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_VERSION}
+          cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/kyverno:latest
+          
       - name: Trivy Scan Image
         uses: aquasecurity/trivy-action@master
         with: 
@@ -107,6 +146,11 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+
       - name: Cache Go modules
         uses: actions/cache@v1
         with:
@@ -130,9 +174,17 @@ jobs:
         with:
           install: true
 
+      - name: Set version
+        run: |
+          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
+
       - name :  docker images publish
         run: |
           make docker-publish-cli
+
+      - name: Sign image
+        run: |
+          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_VERSION}
   
   create-release:
     runs-on: ubuntu-latest

cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxWHpvn2uMYqg174TmTcnGELOXXM
+7/cGqLZW88FFceihl1WA24yKxtMBZqw/s06XqPqujqRzhkaSKa2zkRUWUA==
+-----END PUBLIC KEY-----