From ae2f4c837e2be6e1da1d1a76cd381ed40da9f7e4 Mon Sep 17 00:00:00 2001
From: Alex Rosenzweig <arosenzweig@squareup.com>
Date: Sun, 23 Jun 2024 13:50:39 +1000
Subject: [PATCH] signed SBOMs

---
 .github/workflows/build_and_publish.yaml | 28 +++++++++++++++++-------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build_and_publish.yaml b/.github/workflows/build_and_publish.yaml
index 5a278d2..60fcd6d 100644
--- a/.github/workflows/build_and_publish.yaml
+++ b/.github/workflows/build_and_publish.yaml
@@ -54,21 +54,30 @@ jobs:
     - name: Push Docker Image to GHCR
       run: |
         docker push ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
-        docker tag ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} ${{ env.IMAGE_NAME }}:latest
-        docker push ${{ env.IMAGE_NAME }}:latest
     
     - name: Get Image Digest
       id: image-digest
       run: |
         DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }})
         echo "DIGEST=${DIGEST}" >> $GITHUB_ENV
+    
+    # SBOM generation and signing
+    - name: Generate SBOM
+      run: syft ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} -o json > sbom.json
+    
+    - name: Sign SBOM with Cosign
+      env:
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      run: |
+        cosign sign-blob --yes --key <(echo "${{ secrets.COSIGN_PRIVATE_KEY }}") sbom.json > sbom.json.sig
 
-    - name: Sign Docker Image with Cosign
+    - name: Attach SBOM to Docker Image
       env:
         COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       run: |
-         cosign sign --yes --key <(echo "${{ secrets.COSIGN_PRIVATE_KEY }}") ${{ env.DIGEST }}
+        cosign attach sbom --sbom sbom.json --key <(echo "${{ secrets.COSIGN_PRIVATE_KEY }}") ${{ env.DIGEST }}
 
+    # Scan Image then Sign if Okay
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@0.23.0
       with:
@@ -81,9 +90,12 @@ jobs:
         severity: 'CRITICAL,HIGH'
 
     - name: Upload Trivy scan results to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@v3
       with:
         sarif_file: 'trivy-results.sarif'
-
-    - name: Generate SBOM
-      run: syft ghcr.io/shellz-n-stuff/slsa-spring-demo:${{ env.COMMIT_SHA }} -o json > sbom.json
\ No newline at end of file
+      
+    - name: Sign Docker Image with Cosign
+      env:
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      run: |
+         cosign sign --yes --key <(echo "${{ secrets.COSIGN_PRIVATE_KEY }}") ${{ env.DIGEST }}
\ No newline at end of file