From 5ffc9ce2b3f3e786040f2b84c805756d8ded4564 Mon Sep 17 00:00:00 2001 From: Kris Coleman Date: Fri, 17 Nov 2023 15:44:41 -0500 Subject: [PATCH 1/3] demo: demonstrate that policy verification will deny the removal of a important stage of our workflow that is required in our policy --- .github/workflows/pipeline.yml | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index aace37e..d3af2bd 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -143,21 +143,6 @@ jobs: artifact-upload-name: syft.spdx.json artifact-upload-path: syft.spdx.json - cve-scan: - needs: save-image - uses: ./.github/workflows/witness.yml - with: - pull_request: ${{ github.event_name == 'pull_request' }} - step: cve-scan - attestations: "git github environment" - artifact-download: image.tar - pre-command: | - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - command: | - grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif - artifact-upload-name: grype.sarif - artifact-upload-path: grype.sarif - secret-scan: needs: save-image uses: ./.github/workflows/witness.yml @@ -174,7 +159,7 @@ jobs: artifact-upload-path: trufflehog.json verify: - needs: [ generate-sbom, cve-scan, secret-scan] + needs: [ generate-sbom, secret-scan] if: ${{ github.event_name == 'push' }} uses: ./.github/workflows/witness.yml From 1a8740f63b832732c3bf6edf9a37223ef138b873 Mon Sep 17 00:00:00 2001 From: Kris Coleman Date: Fri, 17 Nov 2023 15:50:13 -0500 Subject: [PATCH 2/3] fix: don't skip verify? --- .github/workflows/pipeline.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index d3af2bd..0216421 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -161,7 +161,6 @@ jobs: verify: needs: [ generate-sbom, secret-scan] - if: ${{ github.event_name == 'push' }} uses: ./.github/workflows/witness.yml with: pull_request: ${{ github.event_name == 'pull_request' }} From 76ff9ad8c8b1dc6c21355822a36168aac090fbbc Mon Sep 17 00:00:00 2001 From: Kris Coleman Date: Fri, 17 Nov 2023 15:55:28 -0500 Subject: [PATCH 3/3] fix: use in-toto instead of testifysec when pulling witness --- .github/workflows/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 0216421..7b42021 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -168,7 +168,7 @@ jobs: attestations: "git github environment" artifact-download: image.tar pre-command: | - curl -sSfL https://github.com/testifysec/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \ + curl -sSfL https://github.com/in-toto/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \ tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz command: | witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug