8000 chore: enable SBOM attestations for docker images by matifali · Pull Request #16894 · coder/coder · GitHub
[go: up one dir, main page]
Skip to content

chore: enable SBOM attestations for docker images #16894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Mar 13, 2025
Merged

chore: enable SBOM attestations for docker images #16894

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e8d3caf
chore: enable SBOM and fix Docker multiarch manifests with attestations
matifali Mar 11, 2025
0ea76fe
chore: add syft and cosign for sbom attestation
ThomasK33 Mar 12, 2025
b84ddea
Discard changes to dogfood/coder/files/etc/docker/daemon.json
matifali Mar 12, 2025
3ab1ab6
chore: add GitHub Actions attestations for SLSA provenance on Docker …
ThomasK33 Mar 13, 2025
4f7f38b
fix: add missing && operator in dogfood Dockerfile
ThomasK33 Mar 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
chore: add syft and cosign for sbom attestation 
Change-Id: I3f9b6e0447713eb16e50af9b1645d6cacf1af9fa
Signed-off-by: Thomas Kosiewski <tk@coder.com>
  • Loading branch information
@ThomasK33
ThomasK33 committed Mar 12, 2025
commit 0ea76fefccdc73a257b23ee3b3b29a8ca7001d64
11 changes: 11 additions & 0 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1024,6 +1024,7 @@ jobs:
# Necessary to push docker images to ghcr.io.
packages: write
# Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
# Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
id-token: write
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
Expand Down Expand Up @@ -1069,6 +1070,16 @@ jobs:
- name: Install zstd
run: sudo apt-get install -y zstd

- name: Install cosign
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
with:
cosign-release: "v2.4.3"

- name: Install syft
uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
with:
syft-version: "v1.20.0"

- name: Setup Windows EV Signing Certificate
run: |
set -euo pipefail
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ jobs:
# Necessary to push docker images to ghcr.io.
packages: write
# Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
# Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
id-token: write
env:
# Necessary for Docker manifest
Expand Down Expand Up @@ -246,6 +247,16 @@ jobs:
apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
rm /tmp/rcodesign.tar.gz

- name: Install cosign
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
with:
cosign-release: "v2.4.3"

- name: Install syft
uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
with:
syft-version: "v1.20.0"

- name: Setup Apple Developer certificate and API key
run: |
set -euo pipefail
Expand Down
12 changes: 10 additions & 2 deletions dogfood/coder/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,9 @@ ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \
KUBECTX_VERSION=0.9.4 \
STRIPE_VERSION=1.14.5 \
TERRAGRUNT_VERSION=0.45.11 \
TRIVY_VERSION=0.41.0
TRIVY_VERSION=0.41.0 \
SYFT_VERSION=1.20.0 \
COSIGN_VERSION=2.4.3

# cloud_sql_proxy, for connecting to cloudsql instances
# the upstream go.mod prevents this from being installed with go install
Expand Down Expand Up @@ -316,7 +318,13 @@ RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_prox
chmod a=rx /usr/local/bin/terragrunt && \
# AquaSec Trivy for scanning container images for security issues
curl --silent --show-error --location "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- trivy
tar --extract --gzip --directory=/usr/local/bin --file=- trivy && \
# Anchore Syft for SBOM generation
curl --silent --show-error --location "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux-amd64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- syft \
# Sigstore Cosign for artifact signing and attestation
curl --silent --show-error --location --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \
chmod a=rx /usr/local/bin/cosign

# We use yq during "make deploy" to manually substitute out fields in
# our helm values.yaml file. See https://github.com/helm/helm/issues/3141
Expand Down
2 changes: 2 additions & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,7 @@
bat
cairo
curl
cosign
delve
dive
drpc.defaultPackage.${system}
Expand Down Expand Up @@ -161,6 +162,7 @@
shellcheck
(pinnedPkgs.shfmt)
sqlc
syft
unstablePkgs.terraform
typos
which
Expand Down
17 changes: 14 additions & 3 deletions scripts/build_docker.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,12 +136,10 @@ fi

log "--- Building Docker image for $arch ($image_tag)"

docker buildx build \
docker build \
--platform "$arch" \
--build-arg "BASE_IMAGE=$base_image" \
--build-arg "CODER_VERSION=$version" \
--provenance true \
--sbom true \
--no-cache \
--tag "$image_tag" \
-f Dockerfile \
Expand All @@ -155,4 +153,17 @@ if [[ "$push" == 1 ]]; then
docker push "$image_tag" 1>&2
fi

log "--- Generating SBOM for Docker image ($image_tag)"
syft "$image_tag" -o spdx-json >"${image_tag}.spdx.json"

if [[ "$push" == 1 ]]; then
log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"

COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
--predicate "${image_tag}.spdx.json" \
--yes \
"$image_tag"
fi

echo "$image_tag"
21 changes: 5 additions & 16 deletions scripts/build_docker_multiarch.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,24 +77,13 @@ done

# Sadly, manifests don't seem to support labels.
log "--- Creating multi-arch Docker image ($target)"

# Create a buildx builder instance if it doesn't exist
if ! docker buildx inspect multiarch-builder &>/dev/null; then
docker buildx create --name multiarch-builder --use
fi

# Create manifest with buildx imagetools
log "--- Creating multi-arch manifest with attestations"

# For images with attestations, we preserve the entire structure by using image tags directly,
# letting Docker handle retrieving both the architecture manifests and attestation manifests
docker buildx imagetools create --tag "$target" "$@"
docker manifest create \
"$target" \
"${create_args[@]}"

if [[ "$push" == 1 ]]; then
log "--- Verifying multi-arch Docker image ($target)"
# The manifest is already created and pushed when using buildx imagetools create
# We just need to verify it exists
docker buildx imagetools inspect "$target"
log "--- Pushing multi-arch Docker image ($target)"
docker manifest push "$target"
fi

echo "$target"
Loading
0