Skip to content

feat: supply chain security - trivy, sbom, cosign (epic #99)#111

Open
bgauduch wants to merge 4 commits into
masterfrom
feat/99-supply-chain-security
Open

feat: supply chain security - trivy, sbom, cosign (epic #99)#111
bgauduch wants to merge 4 commits into
masterfrom
feat/99-supply-chain-security

Conversation

@bgauduch

Copy link
Copy Markdown
Owner

Summary

Implements epic #99 — supply chain security hardening across the CI/CD pipeline.

Changes

  • Trivy vulnerability scanning (build-test.yml): Adds a scan step after the Docker build (amd64 test image) using aquasecurity/trivy-action@0.36.0. Scans OS and library packages, fails the build on unfixed CRITICAL vulnerabilities.

  • SBOM generation (release.yml): After each release image push, generates a SPDX-JSON Software Bill of Materials using anchore/sbom-action@v0.24.0 and uploads it as a release asset via anchore/sbom-action/publish-sbom.

  • Cosign keyless image signing (release.yml): After each release image push, signs the image digest using sigstore/cosign-installer@v4.1.1 with keyless OIDC signing (Sigstore). No long-lived keys required.

  • Least-privilege permissions (all workflows): Adds explicit permissions: blocks at the workflow level to enforce minimum required permissions:

    • lint-dockerfile.yml: contents: read
    • build-test.yml: contents: read
    • push-latest.yml: contents: read, packages: write
    • release.yml: contents: read, packages: write, id-token: write (required for cosign OIDC)
    • dockerhub-description-update.yml: contents: read
  • PR trigger (build-test.yml): Adds pull_request trigger targeting master so vulnerability scans run on PRs before merge.

  • SECURITY.md: Responsible disclosure policy, supported versions, security measures overview, and instructions for verifying image signatures with cosign.

Verifying signed images

cosign verify ghcr.io/bgauduch/terraform-aws-cli:<tag> \
  --certificate-identity-regexp="https://github.com/bgauduch/terraform-aws-cli/.github/workflows/release.yml@refs/tags/.*" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

Test plan

  • Push a branch with a Dockerfile change and verify the Trivy scan step runs and blocks on CRITICAL unfixed CVEs
  • Open a PR targeting master and verify the build-test workflow triggers via the pull_request event
  • Publish a release and verify: SBOM .spdx.json files are attached to the release assets, cosign signs the image digest without error
  • Confirm id-token: write permission is present in release.yml (required for keyless OIDC signing)
  • Validate all workflow YAML files are syntactically valid

Closes #99


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

epic: supply chain security

2 participants