From 3c723f35246823610de5d086c091f6e693a627a3 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Sun, 14 Apr 2024 17:06:32 -0500 Subject: [PATCH] Update to use witness with slsa attestor Signed-off-by: John Kjell --- .github/workflows/pipeline.yml | 6 +++--- .github/workflows/witness.yml | 4 ++-- policy.rego | 29 +++++++++++++++++++++++++++++ 3 files changed, 34 insertions(+), 5 deletions(-) create mode 100644 policy.rego diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 6db3648..78de5fd 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -110,7 +110,7 @@ jobs: uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 # v0.1.5 with: step: build-image - attestations: "git github environment" + attestations: "git github environment slsa" command: | /bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ." outputs: @@ -122,7 +122,7 @@ jobs: with: pull_request: ${{ github.event_name == 'pull_request' }} step: save-image - attestations: "git github environment oci" + attestations: "git github environment slsa oci" command: | docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar artifact-upload-name: image.tar @@ -184,7 +184,7 @@ jobs: attestations: "git github environment" artifact-download: image.tar pre-command: | - curl -sSfL https://github.com/in-toto/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \ + curl -sSfL https://github.com/in-toto/witness/releases/download/v0.4.0-beta/witness_0.4.0-beta_linux_amd64.tar.gz -o witness.tar.gz && \ tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz command: | witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index b08bff3..f41bc50 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -56,7 +56,7 @@ jobs: path: /tmp - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }} - uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 # v0.1.5 + uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta with: step: pre-${{ inputs.step }} attestations: ${{ inputs.attestations }} @@ -65,7 +65,7 @@ jobs: run: ${{ inputs.pre-command }} - if: ${{ inputs.pull_request == false }} - uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 # v0.1.5 + uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta with: step: ${{ inputs.step }} attestations: ${{ inputs.attestations }} diff --git a/policy.rego b/policy.rego new file mode 100644 index 0000000..5d7a201 --- /dev/null +++ b/policy.rego @@ -0,0 +1,29 @@ +policy rego + +// lint commandrun cmd validation +package commandrun.cmd + +deny[msg] { + input.cmd != ["/bin/sh", "-c", "hadolint -f sarif Dockerfile > hadolint.sarif"] + msg := "unexpected cmd" +} + +// all github jwt validation +package github.attributes + +import rego.v1 + +deny[msg] if { + input.jwt.claims.iss != "https://token.actions.githubusercontent.com" + msg := "unexpected issuer" +} + +deny[msg] if { + input.projecturl != "https://github.com/testifysec/swf" + msg := "unexpected projecturl" +} + +deny[msg] if { + not startswith(input.jwt.claims.workflow_ref, "testifysec/swf/.github/workflows/pipeline.yml") + msg := "unexpected workflow_ref" +} \ No newline at end of file