Merge pull request #877 from Checkmarx/feature/elchanan/signing_docke…

…r_images

 Implement Container Signing for Docker Images (AST-51994)

.github/workflows/release.yml

@@ -114,6 +114,17 @@ jobs:
           SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }}
           SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
           SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} # Secret for Cosign private key
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}       # Secret for Cosign password
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}   # Secret for Cosign public key
+
+      - name: Verify Docker image signature
+        if: inputs.dev == false
+        run: |
+          echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
+          cosign verify --key cosign.pub checkmarx/ast-cli:${{ inputs.tag }}
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
   notify:
     runs-on: ubuntu-latest

.goreleaser.yml

@@ -57,6 +57,22 @@ builds:
       - -w
       - -X github.com/checkmarx/ast-cli/internal/params.Version={{.Version}}
 
+docker_signs:
+  - id: ast-cli-signing
+    cmd: cosign
+    args:
+      - "sign"
+      - "--key-env=COSIGN_PRIVATE_KEY"   # Private key from environment variable
+      - "${artifact}"                    # The artifact (image or manifest) to be signed
+      - "--yes"                          # Required for Cosign 2.0.0+
+    artifacts: images                     # Sign Docker images
+    stdin: "{{ .Env.COSIGN_PASSWORD }}"   # Password from environment variable
+    env:
+      - COSIGN_PRIVATE_KEY={{ .Env.COSIGN_PRIVATE_KEY }}  # Private key from GitHub Secrets
+      - COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}        # Password from GitHub Secrets
+      - COSIGN_PUBLIC_KEY={{ .Env.COSIGN_PUBLIC_KEY }}    # Public key from GitHub Secrets
+    output: true
+
 dockers:
   - use: docker
     dockerfile: Dockerfile