code signing

.github/workflows/release.yaml

@@ -9,6 +9,18 @@ jobs:
   semrel:
     name: Semantic Release
     runs-on: ubuntu-latest
+    permissions:
+      actions: none
+      checks: none
+      contents: none
+      deployments: none
+      issues: none
+      packages: write
+      pull-requests: none
+      repository-projects: none
+      security-events: none
+      statuses: none
+      id-token: write # needed for signing the images with GitHub OIDC using cosign
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -50,6 +62,7 @@ jobs:
 
       - name: Build and push
         if: steps.semrel.outputs.version != ''
+        id: docker
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -58,3 +71,25 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: |
             ${{ steps.meta.outputs.labels }}
+
+      - name: Run Trivy vulnerability scanner on api
+        if: steps.semrel.outputs.version != ''
+        uses: aquasecurity/trivy-action@0.19.0
+        with:
+          image-ref: ghcr.io/adfinis/timed-backend
+          format: "cyclonedx"
+          output: "trivy.cdx"
+
+      - name: Install Cosign
+        if: steps.semrel.outputs.version != ''
+        uses: sigstore/cosign-installer@v3.4.0
+
+      - name: Sign the image with GitHub OIDC Token using cosign
+        if: steps.semrel.outputs.version != ''
+        run: |
+          cosign sign --yes ghcr.io/adfinis/timed-backend@${{ steps.docker.outputs.digest }}
+
+      - name: Attach an SBOM attestation to the signed image
+        if: steps.semrel.outputs.version != ''
+        run: |
+          cosign attest --yes --type cyclonedx --predicate trivy.cdx ghcr.io/adfinis/timed-backend@${{ steps.docker.outputs.digest }}

.github/workflows/schedule.yaml

@@ -12,3 +12,4 @@ jobs:
     uses: ./.github/workflows/trivy-scan.yaml
     with:
       image-ref: ghcr.io/adfinis/timed-backend
+      attest: true

.github/workflows/trivy-scan.yaml

@@ -8,6 +8,10 @@ on:
         required: true
         type: string
         description: The image to scan e.g. ghcr.io/owner/image
+      attest:
+        required: false
+        type: boolean
+        default: true
 
 jobs:
   trivy-scan:
@@ -22,7 +26,8 @@ jobs:
       repository-projects: none
       security-events: write
       statuses: none
-      id-token: none
+      # needed for `cosign attest`
+      id-token: write
 
     runs-on: ubuntu-latest
     name: Scan ${{ inputs.image-ref }}
@@ -38,11 +43,36 @@ jobs:
         uses: aquasecurity/trivy-action@0.19.0
         with:
           image-ref: ${{ inputs.image-ref }}
+          format: "json"
+          output: "trivy.json"
+
+      - name: Convert results to sarif
+        uses: aquasecurity/trivy-action@0.19.0
+        with:
+          image-ref: trivy.json
+          scan-type: "convert"
           format: "sarif"
+          # skip --vuln-type arg
+          vuln-type: ""
           output: "trivy.sarif"
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: "trivy.sarif"
+
+      - name: Convert trivy results to cosign-vuln
+        if: ${{ inputs.attest }}
+        uses: aquasecurity/trivy-action@0.19.0
+        with:
+          image-ref: trivy.json
+          scan-type: "convert"
+          format: "cosign-vuln"
+          # skip --vuln-type arg
+          vuln-type: ""
+          output: "trivy.cosign.json"
+
+      - name: Attach a security attestation to the signed image
+        if: ${{ inputs.attest }}
+        run: cosign attest --yes --type vuln --predicate trivy.cosign.json ${{ inputs.image-ref }}