spdx sbom for grafana-operator and sign image

.github/workflows/release.yaml

@@ -100,24 +100,35 @@ jobs:
 
       - uses: ko-build/setup-ko@v0.6
         with:
-          version: v0.14.1
+          version: v0.15.1
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.2.0
+        with:
+          cosign-release: "v2.2.2"
 
       - name: Prepare
         run: |
           echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
+          echo "REPOS"="quay.io/grafana-operator/grafana-operator" "ghcr.io/${{ github.repository }}" >> $GITHUB_ENV
 
       - name: Build and push
         run: |
-          declare -a arr=("quay.io/grafana-operator/grafana-operator" "ghcr.io/${{ github.repository }}" )
-
-          for i in "${arr[@]}"
+          for i in ${{ env.REPOS }}
           do
             export KO_DOCKER_REPO=${i}
-            ko build --sbom=none --bare --platform linux/arm64,linux/arm/v7,linux/amd64 -t ${{ github.ref_name }} \
+            ko build --sbom=spdx --image-refs ./image-digest-${i%.*} --bare --platform linux/arm64,linux/arm/v7,linux/amd64 -t ${{ github.ref_name }} \
             --image-label org.opencontainers.image.title=grafana-operator \
             --image-label org.opencontainers.image.description="An operator for Grafana that installs and manages Grafana instances & Dashboards & Datasources through Kubernetes/OpenShift CRs" \
             --image-label org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }} \
             --image-label org.opencontainers.image.revision=${{ github.sha }} \
             --image-label org.opencontainers.image.version=${{ github.ref_name }} \
             --image-label org.opencontainers.image.created=${{ env.BUILD_DATE }}
           done
+
+      - name: Sign Image
+        run: |
+          for i in ${{ env.REPOS }}
+          do
+            cosign sign -d -y $(cat ./image-digest-${i%.*})
+          done

docs/docs/security.md

@@ -0,0 +1,45 @@
+---
+title: Security
+weight: 50
+---
+
+## Verification of container images
+
+Grafana-operator container images are signed by cosign using identity-based ("keyless") signing and transparency. Executing the following command can be used to verify the signature of a container image:
+
+To verify the grafana-operator run
+
+Pre-requirement
+
+- cosign v2.0.0 or higher [installation instructions](https://docs.sigstore.dev/system_config/installation/).
+
+```shell
+cosign verify ghcr.io/grafana/grafana-operator@<version> \
+  --certificate-identity-regexp 'https://github\.com/grafana/grafana-operator/\.github/workflows/.+' \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
+```
+
+For example
+
+```shell
+cosign verify ghcr.io/grafana/grafana-operator@v5.6.1 \
+  --certificate-identity-regexp 'https://github\.com/grafana/grafana-operator/\.github/workflows/.+' \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
+```
+
+## SBOM
+
+As a part of our release cycle we also generate SBOMs.
+You can find them as artifacts in our supported repositories.
+
+To download the sbom you can run
+
+```shell
+cosign download sbom --platform linux/amd64 ghcr.io/ghcr.io/grafama/grafana-operator/grafana-operator:<version>
+```
+
+example:
+
+```shell
+cosign download sbom --platform linux/amd64 ghcr.io/ghcr.io/grafama/grafana-operator/grafana-operator:v5.6.1
+```