forked from slsa-framework/slsa-verifier
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add pre-submit to verify base images (slsa-framework#592)
* Add comments to verify new base image digests * Add pre-submit to verify Dockerfile base images. * add step to install cosign Signed-off-by: Ian Lewis <ianlewis@google.com> * Use specific golang version for tag Signed-off-by: Ian Lewis <ianlewis@google.com> * retab Signed-off-by: Ian Lewis <ianlewis@google.com> * Add description comment Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com>
- Loading branch information
Ian Lewis
authored
Sep 7, 2022
1 parent
9082f8b
commit e77551c
Showing
4 changed files
with
71 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| name: pre-submit base images | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [main] | ||
| workflow_dispatch: | ||
|
|
||
| permissions: read-all | ||
|
|
||
| jobs: | ||
| verify-base-images: | ||
| name: verify base images | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 | ||
| - name: install cosign | ||
| uses: sigstore/cosign-installer@b3413d484cc23cf8778c3d2aa361568d4eb54679 # tag=v2.5.1 | ||
| - name: verify images | ||
| run: ./.github/workflows/scripts/verify-base-images.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| -----BEGIN PUBLIC KEY----- | ||
| MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q | ||
| OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA== | ||
| -----END PUBLIC KEY----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| #!/bin/bash | ||
|
|
||
| # verify-base-images.sh verifies that base images used in Dockerfiles are | ||
| # referenced by image digest and signed by their developers. It should be run at | ||
| # the git repository's root directory. | ||
| # | ||
| # distroless images are verified with cosign using the distroless project's | ||
| # public key available here: | ||
| # https://github.com/GoogleContainerTools/distroless#how-do-i-verify-distroless-images | ||
| # | ||
| # All other images are assumed to be Docker official images that are signed | ||
| # using Docker Content Trust (https://docs.docker.com/engine/security/trust/). | ||
| # The public key for Docker official images in included in Docker releases by | ||
| # default so no signers or keys need to be added. | ||
|
|
||
| set -euo pipefail | ||
|
|
||
| # NOTE: Use read to avoid whitespace issues. | ||
| find . -name Dockerfile -print0 | while IFS= read -r -d '' f; do | ||
| echo "Checking $f" | ||
| grep "^FROM " "$f" | while IFS= read -r line; do | ||
| image_full=$(echo "$line" | awk '{ print $2 }') | ||
| image_name=$(echo "$image_full" | cut -d '@' -f 1) | ||
| image_sha=$(echo "$image_full" | cut -d '@' -f 2- | cut -d ':' -f 2-) | ||
|
|
||
| echo "Verifying base image $image_full" | ||
|
|
||
| # verify that the image contains a sha. | ||
| if [ "$image_sha" == "" ]; then | ||
| echo "\"$image_full\" should be referenced by digest." | ||
| exit 2 | ||
| fi | ||
|
|
||
| # verify distroless base images. | ||
| if [[ "$image_name" == gcr.io/distroless/* ]]; then | ||
| # verify the image signature. | ||
| cosign verify --key .github/workflows/scripts/distroless.pub "$image_full" | ||
| else | ||
| # All other base images should be signed using Docker Content Trust. | ||
| if ! (DOCKER_CONTENT_TRUST=1 docker trust inspect --pretty "$image_name" | grep "$image_sha"); then | ||
| echo "$image_full: unable to verify Docker Content Trust." | ||
| exit 2 | ||
| fi | ||
| fi | ||
| done | ||
| done |