cyber-dojo · JonJagger · Oct 18, 2024 · Oct 18, 2024 · Oct 18, 2024
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -2,8 +2,6 @@ name: Main - Attests to https://app.kosli.com
 
 on:
   push:
-    branches:
-      - main
 
 env:
   KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }}           # false
@@ -35,6 +33,7 @@ jobs:
 
 
   pull-request:
+    if: ${{ github.ref == 'refs/heads/main' }}
     needs: []
     runs-on: ubuntu-latest
     permissions:
@@ -47,19 +46,54 @@ jobs:
           fetch-depth: 1
 
       - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
       - name: Attest pull-request evidence to Kosli
-        if: ${{ github.ref == 'refs/heads/main' }}
         run:
           kosli attest pullrequest github
             --github-token=${{ secrets.GITHUB_TOKEN }}
             --name=pull-request
 
 
+  snyk-code-scan:
+    needs: []
+    runs-on: ubuntu-latest
+    env:
+      SARIF_FILENAME: snyk.code.scan.json
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+
+      - name: Run Snyk code scan
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run:
+          snyk code test 
+            --sarif 
+            --sarif-file-output="${SARIF_FILENAME}" 
+            --policy-path=.snyk 
+            .
+
+      - name: Setup Kosli CLI
+        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
+        uses: kosli-dev/setup-cli-action@v2
+        with:
+          version: ${{ vars.KOSLI_CLI_VERSION }}
+
+      - name: Attest evidence to Kosli
+        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
+        run:
+          kosli attest snyk 
+            --name=nginx.snyk-code-scan 
+            --scan-results="${SARIF_FILENAME}"
+
+
   build-image:
     needs: [setup]
     runs-on: ubuntu-latest
@@ -78,6 +112,7 @@ jobs:
           password: ${{ secrets.DOCKER_PASS }}
 
       - name: Build and push image to Dockerhub Registry
+        id: docker_build
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -86,6 +121,12 @@ jobs:
           build-args:
             COMMIT_SHA=${{ github.sha }}
 
+      - name: Make artifact fingerprint available to following jobs
+        id: variables
+        run: |
+          FINGERPRINT=$(echo ${{ steps.docker_build.outputs.digest }} | sed 's/.*://')                              
+          echo "kosli_fingerprint=${FINGERPRINT}" >> ${GITHUB_OUTPUT}
+
       - name: Setup Kosli CLI
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
@@ -100,12 +141,6 @@ jobs:
             --name=nginx
             --trail="${GITHUB_SHA}"
 
-      - name: Make artifact fingerprint available to following jobs
-        id: variables
-        run: |
-          FINGERPRINT=$(kosli fingerprint "${IMAGE_NAME}" --artifact-type=docker)
-          echo "kosli_fingerprint=${FINGERPRINT}" >> ${GITHUB_OUTPUT}
-
 
   snyk-container-scan:
     needs: [setup, build-image]
@@ -137,7 +172,7 @@ jobs:
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
-      - name: Attest results to Kosli
+      - name: Attest evidence to Kosli
         if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
         env:
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
@@ -147,57 +182,17 @@ jobs:
             --scan-results="${SARIF_FILENAME}"
 
 
-  snyk-code-scan:
-    needs: [setup, build-image]
-    runs-on: ubuntu-latest
-    env:
-      SARIF_FILENAME: snyk.code.scan.json
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Setup Snyk
-        uses: snyk/actions/setup@master
-
-      - name: Run Snyk code scan
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run:
-          snyk code test 
-            --sarif 
-            --sarif-file-output="${SARIF_FILENAME}" 
-            --policy-path=.snyk 
-            .
-
-      - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        uses: kosli-dev/setup-cli-action@v2
-        with:
-          version: ${{ vars.KOSLI_CLI_VERSION }}
-
-      - name: Attest results to Kosli
-        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        env:
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
-        run:
-          kosli attest snyk 
-            --name=nginx.snyk-code-scan 
-            --scan-results="${SARIF_FILENAME}"
-
-
   sdlc-control-gate:
+    if: ${{ github.ref == 'refs/heads/main' }}
     needs: [setup, build-image, pull-request, snyk-container-scan, snyk-code-scan]
     runs-on: ubuntu-latest
     steps:
       - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
       - name: Kosli SDLC gate to short-circuit the workflow
-        if: ${{ github.ref == 'refs/heads/main' }}
         env:
           IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
@@ -217,13 +212,11 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
       - name: Attest approval of deployment to Kosli
-        if: ${{ github.ref == 'refs/heads/main' }}
         env:
           IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
@@ -254,13 +247,11 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
       - name: Attest approval of deployment to Kosli
-        if: ${{ github.ref == 'refs/heads/main' }}
         env:
           IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}

diff --git a/README.md b/README.md
@@ -2,8 +2,8 @@
 
 - A docker-containerized micro-service for [https://cyber-dojo.org](http://cyber-dojo.org).
 - The front-end [Nginx](https://www.nginx.com/) image for a [cyber-dojo](http://cyber-dojo.org) web server.
-- A [Kosli CI flow](https://app.kosli.com/cyber-dojo/flows/nginx-ci/trails/) 
+- Demonstrates a [Kosli](https://www.kosli.com/) instrumented [GitHub CI workflow](https://app.kosli.com/cyber-dojo/flows/nginx-ci/trails/) 
   deploying, with Continuous Compliance, to [staging](https://app.kosli.com/cyber-dojo/environments/aws-beta/snapshots/) and [production](https://app.kosli.com/cyber-dojo/environments/aws-prod/snapshots/) AWS environments.
-
+- Uses patterns from https://www.kosli.com/blog/using-kosli-attest-in-github-action-workflows-some-tips/
 
 ![cyber-dojo.org home page](https://github.com/cyber-dojo/cyber-dojo/blob/master/shared/home_page_snapshot.png)