Giter Site home page Giter Site logo

mchmarny / sbominator Goto Github PK

View Code? Open in Web Editor NEW
2.0 2.0 1.0 1.16 MB

Custom Google Cloud Build step to crate a Software Bill of Materials (SBOM) and Binary Authorization attestation.

License: Apache License 2.0

Dockerfile 11.44% Makefile 61.27% Shell 27.29%
build cloudbuild cosign docker pipeline sbom snyk

sbominator's Introduction

sbominator

Custom build step for generating Software Bill of Materials (SBOM) for a container image. When added to your Google Cloud Build pipeline, it will:

Setup

First, enable the required APIs:

gcloud services enable \
  artifactregistry.googleapis.com \
  binaryauthorization.googleapis.com \
  cloudkms.googleapis.com \
  container.googleapis.com \
  containerregistry.googleapis.com \
  containersecurity.googleapis.com

Cloud Build

To use this build step, the Cloud Build service account needs the following IAM roles:

  • Binary Authorization Attestor Viewer: roles/binaryauthorization.attestorsViewer
  • Cloud KMS CryptoKey Decrypter: roles/cloudkms.cryptoKeyDecrypter
  • Cloud KMS CryptoKey Signer/Verifier: roles/cloudkms.signerVerifier
  • Container Analysis Notes Attacher: roles/containeranalysis.notes.attacher

To ensure that the Cloud Build service account in your project has these roles:

export PROJECT_ID="<your project id>"

gcloud config set project $PROJECT_ID

export  PROJECT_NUMBER=$(gcloud projects list \
  --filter="$PROJECT_ID" \
  --format="value(PROJECT_NUMBER)")

export BUILD_SA="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member $BUILD_SA \
  --role roles/binaryauthorization.attestorsViewer

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member $BUILD_SA \
  --role roles/cloudkms.cryptoKeyDecrypter

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member $BUILD_SA \
  --role roles/cloudkms.signerVerifier

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member $BUILD_SA \
  --role roles/containeranalysis.notes.attacher

KMS

Create a key ring and a key for asymmetric signing using:

details: https://cloud.google.com/kms/docs/creating-asymmetric-keys

# replace if you want to deploy to a different location
export REGION="us-us-west1" 
export NAME="sbominator"
export KEY="${KEY_RING}-signer"

gcloud kms keyrings create $NAME \
  --project $PROJECT_ID \
  --location $REGION

gcloud kms keys create $KEY \
  --project $PROJECT_ID  \
  --location $REGION \
  --keyring $NAME \
  --purpose asymmetric-signing \
  --default-algorithm rsa-sign-pkcs1-4096-sha512

Binary Authorization

Create attestation note:

curl "https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/?noteId=${NAME}-note" \
  --request "POST" \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer $(gcloud auth print-access-token)" \
  --header "X-Goog-User-Project: ${PROJECT_ID})" \
  --data-binary @- <<EOF
    {
      "name": "projects/${PROJECT_ID}/notes/${NAME}-note",
      "attestation": {
        "hint": {
          "human_readable_name": "${NAME} note"
        }
      }
    }
EOF

Add the asymmetric signing key to the Attestor:

details: https://cloud.google.com/sdk/gcloud/reference/alpha/container/binauthz/attestors/public-keys/add

gcloud container binauthz attestors create $NAME \
--project $PROJECT_ID \
--attestation-authority-note-project $PROJECT_ID \
--attestation-authority-note "${NAME}-note" \
--description "${NAME} attestor"

gcloud beta container binauthz attestors public-keys add \
--project $PROJECT_ID \
--attestor $NAME \
--keyversion "1" \
--keyversion-key $KEY \
--keyversion-keyring $NAME \
--keyversion-location $REGION \
--keyversion-project $PROJECT_ID

Cloud Build config

Print the variables, and add them to substitutions in your cloudbuild.yaml:

see example/cloudbuild.yaml for example

echo "
_KMS_KEY: projects/${PROJECT_ID}/locations/${REGION}/keyRings/${NAME}/cryptoKeys/${KEY}/cryptoKeyVersions/1
_BIN_AUTHZ_ID: projects/${PROJECT_ID}/attestors/${NAME}
"

Usage

When signing images it's best to do it based on image digest (not image tag). When publishing the image to GCP Artifact Registry, you should also extracted the digest of the newly published image. To enable other steps in the pipeline to access that digest, write it to a temporary file like this:

docker image inspect $IMAGE_TAG --format '{{index .RepoDigests 0}}' > image-digest.txt

To add the SBOM generation to your pipeline, add the following step to your pipeline, anywhere after the image is published and the digest is written to file:

- id: sbom
  name: us-docker.pkg.dev/cloudy-tools/builders/sbominator@sha256:d863f7bdf10e63f9f43298e73aad5886b87245827497b8333c038d6c1d2bdc58
  entrypoint: /bin/bash
  env:
  - PROJECT=$PROJECT_ID
  - KEY=$_KMS_KEY
  - COMMIT=$COMMIT_SHA
  - VERSION=$TAG_NAME
  - ATTESTOR=$_BIN_AUTHZ_ID # optional - to add binary attestation
  args:
  - -c
  - |
    builder $(/bin/cat image-digest.txt)

Both COMMIT sha VERSION tag are automatically included variables for for tag-triggered pipelines:

A complete pipeline with all the steps in below image is available in the example folder.

Technology

This builder uses following open source projects:

Additionally, this builder users Google Cloud CLI (gcloud) for environment configuration.

Disclaimer

This is my personal project and it does not represent my employer. While I do my best to ensure that everything works, I take no responsibility for issues caused by this code.

sbominator's People

Contributors

mchmarny avatar

Stargazers

avatar avatar

Watchers

avatar avatar

Forkers

rippmn

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.