Merge recent GHA and Witness updates into main (#8)

Update to new version of Witness and GitHub action. Also enhances the policy. --------- Signed-off-by: John Kjell <john@testifysec.com> Co-authored-by: Mikhail Swift <mikhail@testifysec.com>
testifysec · Jun 28, 2024 · 425fe29 · 425fe29
1 parent 61f1419
commit 425fe29
Show file tree

Hide file tree

Showing 6 changed files with 161 additions and 174 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -6,67 +6,76 @@ name: pipeline
 
 on:
   push:
-    branches: [ "main", "feat/witness-run-action" ]
+    branches:
+      - '*'
   pull_request:
-    branches: [ "main", "feat/witness-run-action" ]
+    branches:
+      - '*'
 
 jobs:
   fmt:
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: fmt
       attestations: "git github environment"
+      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
       command: go fmt ./...
 
   vet:
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: vet
       attestations: "git github environment"
+      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
       command: go vet ./...
 
   # --ignore DL3002    
   lint:
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: lint
+      pre-command-attestations: "git github environment"
       attestations: "git github environment"
+      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
       pre-command: |
         curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
         chmod +x /usr/local/bin/hadolint
-      command: hadolint -f sarif --ignore DL3002 Dockerfile > hadolint.sarif
+      command: hadolint -f sarif Dockerfile > hadolint.sarif
       artifact-upload-name: hadolint.sarif
       artifact-upload-path: hadolint.sarif
 
   unit-test:
     needs: [ fmt, vet, lint ]
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: unit-test
       attestations: "git github environment"
+      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
       command: go test ./... -coverprofile cover.out
       artifact-upload-name: cover.out
       artifact-upload-path: cover.out
 
   sast:
     needs: [ fmt, vet, lint ]
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: sast
+      pre-command-attestations: "git github environment"
       attestations: "git github environment"
+      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
       pre-command: python3 -m pip install semgrep==1.45.0
       command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
       artifact-upload-name: semgrep.sarif
       artifact-upload-path: semgrep.sarif
 
   build:
     needs: [ unit-test, sast ]
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: build 
@@ -107,64 +116,56 @@ jobs:
         use: true
 
     - name: Build Image
-      uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 # v0.1.5
+      uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
       with:
+        version: 0.6.0
         step: build-image
-        attestations: "git github environment"
+        attestations: "git github environment slsa"
+        archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"        
         command: |
           /bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ."
     outputs:
       tags: ${{ steps.meta.outputs.tags }}
 
   save-image:
     needs: build-image
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
-      step: save-image 
-      attestations: "git github environment oci"
+      step: save-image
+      attestations: "git github environment slsa oci"
+      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
       command: |
         docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
       artifact-upload-name: image.tar
       artifact-upload-path: image.tar
 
   generate-sbom:
     needs: save-image
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: generate-sbom 
-      attestations: "git github environment"
+      pre-command-attestations: "git github environment"
+      attestations: "git github environment sbom"
+      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
       artifact-download: image.tar
       pre-command: |
         curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
       command: |
-        syft packages docker-archive:/tmp/image.tar -o spdx-json --file syft.spdx.json
-      artifact-upload-name: syft.spdx.json
-      artifact-upload-path: syft.spdx.json
-
-  cve-scan:
-    needs: save-image
-    uses: ./.github/workflows/witness.yml
-    with:
-      pull_request: ${{ github.event_name == 'pull_request' }}
-      step: cve-scan 
-      attestations: "git github environment"
-      artifact-download: image.tar
-      pre-command: |
-        curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
-      command: |
-        grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif
-      artifact-upload-name: grype.sarif
-      artifact-upload-path: grype.sarif
+        syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json
+      artifact-upload-name: sbom.cdx.json
+      artifact-upload-path: sbom.cdx.json
 
   secret-scan:
     needs: save-image
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: secret-scan
+      pre-command-attestations: "git github environment"
       attestations: "git github environment"
+      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
       artifact-download: image.tar
       pre-command: |
         curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
@@ -174,17 +175,19 @@ jobs:
       artifact-upload-path: trufflehog.json
 
   verify:
-    needs: [ generate-sbom, cve-scan, secret-scan]
+    needs: [ generate-sbom, secret-scan]
 
     if: ${{ github.event_name == 'push' }}
-    uses: ./.github/workflows/witness.yml
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: verify 
+      pre-command-attestations: "git github environment"
       attestations: "git github environment"
+      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
       artifact-download: image.tar
       pre-command: |
-        curl -sSfL https://github.com/in-toto/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \
+        curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
         tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
       command: |
-        witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug
+        witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge-api.aws-sandbox-staging.testifysec.dev -l debug
diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
diff --git a/Dockerfile b/Dockerfile
@@ -20,7 +20,7 @@ RUN go build -o bin/software
 
 FROM cgr.dev/chainguard/static@sha256:676e989769aa9a5254fbfe14abb698804674b91c4d574bb33368d87930c5c472
 
-USER root
+#USER root
 
 COPY --from=builder /build/bin/software /software
 

diff --git a/policy-signed.json b/policy-signed.json