Skip to content

Commit 201a680

Browse files
authored
Sign main branch Unified container builds with cosign and perform security scanning (#1192)
## 🎟️ Tracking https://bitwarden.atlassian.net/browse/VULN-130 ## 📔 Objective Signs Unified container images built off `main` with [Cosign](https://github.com/sigstore/cosign). This uses Sigstore's in-house certificate authority with short-lived keys that are all self-managed with the tool, which will also utilize GitHub's provided OIDC entity. As part of an effort to increase transparency of what we build as an open source company, these signatures are also sent to [Rekor](https://search.sigstore.dev/) -- users of our images are then free to verify the images against that log. Also throws in container security scanning as that's adjacent in other builds. ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines <!-- Suggested interactions but feel free to use (or not) as you desire! --> - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes
1 parent 624d0e3 commit 201a680

File tree

2 files changed

+68
-0
lines changed

2 files changed

+68
-0
lines changed

.github/workflows/build-cli-docker.yml

+35
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ jobs:
1414
build-docker:
1515
name: Build Docker image
1616
runs-on: ubuntu-22.04
17+
permissions:
18+
security-events: write
19+
id-token: write
20+
1721
steps:
1822
- name: Checkout Repository
1923
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -86,6 +90,7 @@ jobs:
8690
fi
8791
8892
- name: Build and push Docker image
93+
id: build-docker
8994
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
9095
with:
9196
context: .
@@ -98,6 +103,36 @@ jobs:
98103
secrets: |
99104
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
100105
106+
- name: Install Cosign
107+
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
108+
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
109+
110+
- name: Sign image with Cosign
111+
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
112+
env:
113+
DIGEST: ${{ steps.build-docker.outputs.digest }}
114+
TAGS: ${{ steps.tag-list.outputs.tags }}
115+
run: |
116+
IFS="," read -a tags <<< "${TAGS}"
117+
images=""
118+
for tag in "${tags[@]}"; do
119+
images+="${tag}@${DIGEST} "
120+
done
121+
cosign sign --yes ${images}
122+
123+
- name: Scan Docker image
124+
id: container-scan
125+
uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
126+
with:
127+
image: ${{ steps.tag-list.outputs.primary_tag }}
128+
fail-build: false
129+
output-format: sarif
130+
131+
- name: Upload Grype results to GitHub
132+
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
133+
with:
134+
sarif_file: ${{ steps.container-scan.outputs.sarif }}
135+
101136
- name: Log out of Docker and disable Docker Notary
102137
if: ${{ env.is_publish_branch == 'true' }}
103138
run: |

.github/workflows/publish-bws.yml

+33
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,11 @@ jobs:
115115
publish-docker:
116116
name: Publish docker versioned and latest image
117117
runs-on: ubuntu-22.04
118+
permissions:
119+
security-events: write
120+
id-token: write
118121
needs: setup
122+
119123
steps:
120124
- name: Checkout
121125
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -171,6 +175,7 @@ jobs:
171175
azure-keyvault-name: "bitwarden-ci"
172176

173177
- name: Build and push Docker image
178+
id: build-docker
174179
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
175180
with:
176181
context: .
@@ -183,6 +188,34 @@ jobs:
183188
secrets: |
184189
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
185190
191+
- name: Install Cosign
192+
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
193+
194+
- name: Sign image with Cosign
195+
env:
196+
DIGEST: ${{ steps.build-docker.outputs.digest }}
197+
TAGS: ${{ steps.tag-list.outputs.tags }}
198+
run: |
199+
IFS="," read -a tags <<< "${TAGS}"
200+
images=""
201+
for tag in "${tags[@]}"; do
202+
images+="${tag}@${DIGEST} "
203+
done
204+
cosign sign --yes ${images}
205+
206+
- name: Scan Docker image
207+
id: container-scan
208+
uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
209+
with:
210+
image: ${{ steps.tag-list.outputs.primary_tag }}
211+
fail-build: false
212+
output-format: sarif
213+
214+
- name: Upload Grype results to GitHub
215+
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
216+
with:
217+
sarif_file: ${{ steps.container-scan.outputs.sarif }}
218+
186219
- name: Log out of Docker and disable Docker Notary
187220
if: ${{ inputs.release_type != 'Dry Run' }}
188221
run: |

0 commit comments

Comments
 (0)