Initial commit

.github/workflows/pipeline.yml

@@ -0,0 +1,56 @@
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
+name: pipeline
+
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  build-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      packages: write
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+
+    steps:
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ghcr.io/${{ github.repository }}/swf
+
+    - name: Docker Login
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Setup Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Checkout Code
+      uses: actions/checkout@v4.1.1
+
+    - name: Build Image
+      shell: bash
+      run: |
+        docker buildx build -t ${{ steps.meta.outputs.tags }} --push .
+
+    - name: Generate SBOM
+      shell: bash
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+        syft ${{ steps.meta.outputs.tags }} --source-name=pkg:oci/${{ github.repository }} -o cyclonedx-json --file sbom.cdx.json
+
+    - name: Upload SBOM
+      uses: actions/upload-artifact@v4.3.3
+      with:
+        name: sbom
+        path: sbom.cdx.json

.github/workflows/vex.yml

@@ -0,0 +1,37 @@
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
+name: vex
+
+on:
+  workflow_dispatch
+
+jobs:
+  generate-vex:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Setup Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version: 1.22.x
+    - run: go install github.com/openvex/vexctl@latest
+
+    - name: Checkout Code
+      uses: actions/checkout@v4.1.1
+
+    - name: Generate VEX
+      uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
+      with:
+        archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+        step: gen-vex
+        attestations: "environment git github vex"
+        command: |
+          /bin/sh -c 'vexctl create --product="pkg:oci/${{ github.repository }}@main" --vuln="CVE-2023-45285" --status="not_affected" --justification="inline_mitigations_already_exist" --file="./openvex.json"'
+
+    - name: Upload VEX
+      uses: actions/upload-artifact@v4.3.3
+      with:
+        name: vex
+        path: openvex.json

Dockerfile

@@ -0,0 +1,25 @@
+FROM cgr.dev/chainguard/go@sha256:605d81422aba573c17bfd6029a217e94a9575179a98355a99acbb6e028ca883b AS builder
+
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT=""
+ARG LDFLAGS
+
+ENV GO111MODULE=on \
+    CGO_ENABLED=0 \
+    GOOS=${TARGETOS} \
+    GOARCH=${TARGETARCH} \
+    GOARM=${TARGETVARIANT}
+
+WORKDIR /build
+
+COPY . .
+
+RUN go build -o bin/software
+
+FROM golang:alpine3.18
+
+COPY --from=builder /build/bin/software /software
+
+ENTRYPOINT ["/software"]

README.md

@@ -0,0 +1,12 @@
+# demo-repo
+
+## Welcome to a JUDGE On-boarding Demo
+
+This is a template repository that is best used to create your own repo to customize.
+
+## "Typical" workflow experience (WIP)
+
+1. Take a look at the pipeline.yaml to see what the current build process looks like. It's a simple Docker build of a container image with a subsequent SBOM generation step.
+2. Next look at PR1
+3. Next look at PR2
+4. Finally kick off the manual VEX workflow.

go.mod

@@ -0,0 +1,5 @@
+module github.com/demo-john/demo-repo/swf
+
+go 1.21.1
+
+require github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be

go.sum

@@ -0,0 +1,2 @@
+github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=
+github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=

main.go

@@ -0,0 +1,14 @@
+package main
+
+import (
+	"github.com/common-nighthawk/go-figure"
+)
+
+func Hello() string {
+	return "Hello Demo!"
+}
+
+func main() {
+	myFigure := figure.NewFigure(Hello(), "starwars", true)
+	myFigure.Print()
+}

main_test.go

@@ -0,0 +1,14 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestHello(t *testing.T) {
+	got := Hello()
+	want := "Hello KubeCon!"
+
+	if got != want {
+		t.Errorf("got %q want %q", got, want)
+	}
+}

pr-1/pipeline.yml

@@ -0,0 +1,63 @@
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
+name: pipeline
+
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  build-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      packages: write
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+
+    steps:
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ghcr.io/${{ github.repository }}/swf
+
+    - name: Docker Login
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Setup Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Checkout Code
+      uses: actions/checkout@v4.1.1
+
+    - name: Build Image
+      uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
+      with:
+        archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+        step: build-image
+        attestations: "environment git github slsa"
+        command: /bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} --push ."
+
+    - name: Generate SBOM
+      uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
+      with:
+        archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+        step: gen-sbom
+        attestations: "environment git github sbom"
+        command: |
+          /bin/sh -c "curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.7.0 && \
+            syft ${{ steps.meta.outputs.tags }} --source-name=pkg:oci/${{ github.repository }} -o cyclonedx-json --file sbom.cdx.json"
+
+    - name: Upload SBOM
+      uses: actions/upload-artifact@v4.3.3
+      with:
+        name: sbom
+        path: sbom.cdx.json

pr-2/Dockerfile

@@ -0,0 +1,25 @@
+FROM cgr.dev/chainguard/go@sha256:605d81422aba573c17bfd6029a217e94a9575179a98355a99acbb6e028ca883b AS builder
+
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT=""
+ARG LDFLAGS
+
+ENV GO111MODULE=on \
+    CGO_ENABLED=0 \
+    GOOS=${TARGETOS} \
+    GOARCH=${TARGETARCH} \
+    GOARM=${TARGETVARIANT}
+
+WORKDIR /build
+
+COPY . .
+
+RUN go build -o bin/software
+
+FROM cgr.dev/chainguard/static@sha256:676e989769aa9a5254fbfe14abb698804674b91c4d574bb33368d87930c5c472
+
+COPY --from=builder /build/bin/software /software
+
+ENTRYPOINT ["/software"]

scripts/prepare.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Create the first PR
+git checkout -b enable-witness main
+cp ./pr-1/pipeline.yml ./.github/workflows/pipeline.yml
+git add ./.github/workflows/pipeline.yml
+git commit -m "Enable witness"
+git push origin enable-witness
+gh pr create --base main --head enable-witness --fill
+
+# Create the second PR
+git checkout -b reduce-cves main
+cp ./pr-2/Dockerfile ./Dockerfile
+git add ./Dockerfile
+git commit -m "Reduce CVEs"
+git push origin reduce-cves
+gh pr create --base main --head reduce-cves --fill
+

scripts/tear-down.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+gh repo delete --confirm