feat(docker): sign images (#565)

Co-authored-by: Rafael Falk <rafael.falk@digitalservice.bund.de> Co-authored-by: Sanny Nguyen Hung <sanny.nguyen@digitalservice.bund.de>
digitalservicebund · Feb 21, 2024 · 9567a9e · 9567a9e
1 parent 05354b2
commit 9567a9e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 16 deletions.
diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml
@@ -70,16 +70,17 @@ jobs:
       - run: ./docker.sh --build app
       - run: ./docker.sh --push app
       - run: ./docker.sh --build prod
-      - name: Generate cosign vulnerability scan record
+      - run: echo "PROD_IMAGE_TAG=$(./docker.sh --prodImageTag)" >> $GITHUB_ENV
+      - name: Generate cosign vulnerability scan record for PROD image
         uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
         with:
-          image-ref: "${{ env.REGISTRY }}/${{ github.repository }}"
+          image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }}
           format: "cosign-vuln"
           output: "vulnerabilities.json"
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
         with:
-          image-ref: "${{ env.REGISTRY }}/${{ github.repository }}"
+          image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }}
           format: "sarif"
           output: "trivy-results.sarif"
           ignore-unfixed: true
@@ -91,15 +92,14 @@ jobs:
           sarif_file: "trivy-results.sarif"
       - run: ./docker.sh --push prod
       - run: ./docker.sh --sign
-      - run: ./docker.sh --attest
       - id: prod_image_tag
         run: echo "prod_image_tag=$(./docker.sh --prodImageTag)" >> $GITHUB_OUTPUT
     outputs:
       prod_image_tag: ${{ steps.prod_image_tag.outputs.prod_image_tag }}
 
   deploy-staging:
-    needs: [build-push-app-image]
     if: github.ref == 'refs/heads/main'
+    needs: [build-push-app-image]
     runs-on: ubuntu-latest
     environment: staging
     steps:

diff --git a/docker.sh b/docker.sh
@@ -66,12 +66,6 @@ case $1 in
     getAppFromLatestImage $DESTINATION
     exit 0
     ;;
---attest)
-    cosign attest --yes --replace --predicate vulnerabilities.json --type vuln $APP_IMAGE
-    cosign attest --yes --replace --predicate vulnerabilities.json --type vuln $CONTENT_IMAGE
-    cosign attest --yes --replace --predicate vulnerabilities.json --type vuln $PROD_IMAGE
-    exit 0
-    ;;
 --contentFromImage)
     IMAGE_CONTENT_FILE=./content_from_image.json
     echo "Extracting content from $CONTENT_IMAGE into $IMAGE_CONTENT_FILE..."
@@ -96,7 +90,7 @@ case $1 in
     case ${TARGET} in
     app)
         LATEST_GIT_TAG=$(git rev-parse HEAD)
-        APP_IMAGE_TAG=$APP_IMAGE:$LATEST_GIT_TAG
+        APP_IMAGE_TAG=$APP_IMAGE
 
         npm run build
         npm run build-storybook
@@ -133,7 +127,7 @@ case $1 in
     case ${TARGET} in
     app)
         echo "Pushing $APP_IMAGE..."
-        docker push --all-tags $APP_IMAGE
+        docker push $APP_IMAGE
         ;;
     content)
         echo "Pushing $CONTENT_IMAGE..."
@@ -147,9 +141,11 @@ case $1 in
     ;;
 --sign)
     echo "Signing images with cosign"
-    cosign sign --yes $APP_IMAGE
-    cosign sign --yes $CONTENT_IMAGE
-    cosign sign --yes $PROD_IMAGE
+    cosign sign --yes $PROD_IMAGE:$(prodImageTag)
+    echo "Attest images with cosign"
+    cosign attest --yes --replace --predicate vulnerabilities.json --type vuln $APP_IMAGE
+    cosign attest --yes --replace --predicate vulnerabilities.json --type vuln $CONTENT_IMAGE
+    cosign attest --yes --replace --predicate vulnerabilities.json --type vuln $PROD_IMAGE
     ;;
 *)
     echo "Unknown command $1"