Skip to content

Commit

Permalink
Implement Container Signing for Docker Images
Browse files Browse the repository at this point in the history
  • Loading branch information
@elchananarb
elchananarb committed Sep 17, 2024
1 parent 2b61c4b commit 05ba385
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,10 @@ jobs:
SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }}
SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} # Secret for Cosign private key
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} # Secret for Cosign password
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} # Secret for Cosign public key


notify:
runs-on: ubuntu-latest
Expand Down
16 changes: 16 additions & 0 deletions .goreleaser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,22 @@ builds:
- -w
- -X github.com/checkmarx/ast-cli/internal/params.Version={{.Version}}

docker_signs:
- id: ast-cli-signing
cmd: cosign
args:
- "sign"
- "--key-env=COSIGN_PRIVATE_KEY" # Private key from environment variable
- "${artifact}" # The artifact (image or manifest) to be signed
- "--yes" # Required for Cosign 2.0.0+
artifacts: images # Sign Docker images
stdin: "{{ .Env.COSIGN_PASSWORD }}" # Password from environment variable
env:
- COSIGN_PRIVATE_KEY={{ .Env.COSIGN_PRIVATE_KEY }} # Private key from GitHub Secrets
- COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }} # Password from GitHub Secrets
- COSIGN_PUBLIC_KEY={{ .Env.COSIGN_PUBLIC_KEY }} # Public key from GitHub Secrets
output: true

dockers:
- use: docker
dockerfile: Dockerfile
Expand Down

0 comments on commit 05ba385

Please sign in to comment.