Update to use witness with slsa attestor

Signed-off-by: John Kjell <john@testifysec.com>
testifysec · Apr 14, 2024 · 3c723f3 · 3c723f3
1 parent 61f1419
commit 3c723f3
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 5 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -110,7 +110,7 @@ jobs:
       uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 # v0.1.5
       with:
         step: build-image
-        attestations: "git github environment"
+        attestations: "git github environment slsa"
         command: |
           /bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ."
     outputs:
@@ -122,7 +122,7 @@ jobs:
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: save-image 
-      attestations: "git github environment oci"
+      attestations: "git github environment slsa oci"
       command: |
         docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
       artifact-upload-name: image.tar
@@ -184,7 +184,7 @@ jobs:
       attestations: "git github environment"
       artifact-download: image.tar
       pre-command: |
-        curl -sSfL https://github.com/in-toto/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \
+        curl -sSfL https://github.com/in-toto/witness/releases/download/v0.4.0-beta/witness_0.4.0-beta_linux_amd64.tar.gz -o witness.tar.gz && \
         tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
       command: |
         witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug
diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
@@ -56,7 +56,7 @@ jobs:
               path: /tmp
 
           - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
-            uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 # v0.1.5
+            uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta
             with:
               step: pre-${{ inputs.step }}
               attestations: ${{ inputs.attestations }}
@@ -65,7 +65,7 @@ jobs:
             run: ${{ inputs.pre-command }}
 
           - if: ${{ inputs.pull_request == false }}
-            uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 # v0.1.5
+            uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta
             with:
               step: ${{ inputs.step }}
               attestations: ${{ inputs.attestations }}

diff --git a/policy.rego b/policy.rego
@@ -0,0 +1,29 @@
+policy rego
+
+// lint commandrun cmd validation
+package commandrun.cmd
+
+deny[msg] {
+	input.cmd != ["/bin/sh", "-c", "hadolint -f sarif Dockerfile > hadolint.sarif"]
+	msg := "unexpected cmd"
+}
+
+// all github jwt validation
+package github.attributes
+
+import rego.v1
+
+deny[msg] if {
+	input.jwt.claims.iss != "https://token.actions.githubusercontent.com"
+	msg := "unexpected issuer"
+}
+
+deny[msg] if {
+	input.projecturl != "https://github.com/testifysec/swf"
+	msg := "unexpected projecturl"
+}
+
+deny[msg] if {
+	not startswith(input.jwt.claims.workflow_ref, "testifysec/swf/.github/workflows/pipeline.yml")
+	msg := "unexpected workflow_ref"
+}