Comments (6)
pieterlexis
commented on July 2, 2024
I'm using the DSSE signing implementation of sigstore in #91 which indeed generates the payload and signatures as defined in in-toto.
I think the integration of the generated, signed provenance is beyond the scope of what I intended to implement in #91.
from slsa-provenance-action.
marcofranssen
commented on July 2, 2024
@pieterlexis yes integrating the attaching to docker images or auto uploading to Github releases can be done from separate PR.
from slsa-provenance-action.
ChaosInTheCRD
commented on July 2, 2024
I would be interested in working on this PR ✋ 😄
from slsa-provenance-action.
ChaosInTheCRD
commented on July 2, 2024
For Docker Images, I have been looking at the implementation within Tekton Chains... and I can see it could be possible to do something similar here too
I wonder if this should be integrated as part of the sign-provenance action that @pieterlexis has written. In an ideal world, you would be able to have all of this completed within a single command, like:
- Declare the repo, digest, tags etc.
- Generate Provenance
- Sign the Provenance
- Push the Provenance to the remote
That way, you can be sure that the attestation has not been modified / compromised before it makes it to the registry.
I wonder if it would be worthwhile for me to expand on #88 so someone can just call a flag that allows a user to achieve all of this for a docker image. As far as I can see with SLSA, this is a common flow for anyone wanting to generate Level 2 Provenance for an image.
from slsa-provenance-action.
marcofranssen
commented on July 2, 2024
@ChaosInTheCRD what you have shared in your workflow tryout https://github.com/ChaosInTheCRD/mic-test/runs/4514052305?check_suite_focus=true is exactly what we would like to achieve once this PR and #88 are merged in a single line command. @pieterlexis could you also have a look at @ChaosInTheCRD his workflow we can achieve this with the combination of both PR's?
from slsa-provenance-action.
pieterlexis
commented on July 2, 2024
The sign action I implemented can sign any json that looks like provenance. Signing actual container images might be out of scope for this (and cosign does that just fine).
If you want to sign the provenance about the container, my action could do that as long as the provenance is in the same format.
from slsa-provenance-action.
Related Issues (20)
- Start using cosign transparency log using rekor and fulcio
- Action is not able to pull private images HOT 1
- Use att extension for provenance HOT 3
- Integrate cosign provenance attachment to Docker HOT 2
- Provenance probably incorrect when creating multiple subjects in one workflow.
- Action is broken HOT 13
- use keyless approach to sign and verify project HOT 8
- Update documentation and readme
- Add workflow to continuously check the sboms for vulnerabilites using grype
- Latest release v0.7.1 is missing provenance asset HOT 1
- Unable to use this action from macos-latest HOT 2
- Re-use SLSA provenance action - Reusable Workflow OR Composite Action OR Example
- Rename SBOM artifacts to exclude ".tar.gz" HOT 1
- Container provenance does not contain tags as subjects
- signature not found in transparency log for slsa-provenance_0.7.2_linux_amd64.tar.gz HOT 2
- Releases are not automatically published in the marketplace HOT 1
- Show example of output file
- Build is failing because of pagination problems.
- GitLab Support HOT 5
- entryPoint in report is incorrect HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from slsa-provenance-action.