You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sign main branch Unified container builds with cosign and perform security scanning (#1192)
## 🎟️ Tracking
https://bitwarden.atlassian.net/browse/VULN-130
## 📔 Objective
Signs Unified container images built off `main` with
[Cosign](https://github.com/sigstore/cosign). This uses Sigstore's
in-house certificate authority with short-lived keys that are all
self-managed with the tool, which will also utilize GitHub's provided
OIDC entity. As part of an effort to increase transparency of what we
build as an open source company, these signatures are also sent to
[Rekor](https://search.sigstore.dev/) -- users of our images are then
free to verify the images against that log.
Also throws in container security scanning as that's adjacent in other
builds.
## ⏰ Reminders before review
- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or
informed the documentation
team
## 🦮 Reviewer guidelines
<!-- Suggested interactions but feel free to use (or not) as you desire!
-->
- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry
that's not quite a confirmed
issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or
concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or
indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes
0 commit comments