From d9a233a6c8a43455c6b67e6ec754e96b2f4173ac Mon Sep 17 00:00:00 2001 From: Cole Kennedy Date: Sat, 13 Jul 2024 11:38:09 -0500 Subject: [PATCH] Initial commit --- .github/workflows/pipeline.yml | 56 ++++++++++++++++++++++++++++++ .github/workflows/vex.yml | 37 ++++++++++++++++++++ Dockerfile | 25 ++++++++++++++ README.md | 12 +++++++ go.mod | 5 +++ go.sum | 2 ++ main.go | 14 ++++++++ main_test.go | 14 ++++++++ pr-1/pipeline.yml | 63 ++++++++++++++++++++++++++++++++++ pr-2/Dockerfile | 25 ++++++++++++++ scripts/prepare.sh | 18 ++++++++++ scripts/tear-down.sh | 3 ++ 12 files changed, 274 insertions(+) create mode 100644 .github/workflows/pipeline.yml create mode 100644 .github/workflows/vex.yml create mode 100644 Dockerfile create mode 100644 README.md create mode 100644 go.mod create mode 100644 go.sum create mode 100644 main.go create mode 100644 main_test.go create mode 100644 pr-1/pipeline.yml create mode 100644 pr-2/Dockerfile create mode 100755 scripts/prepare.sh create mode 100755 scripts/tear-down.sh diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml new file mode 100644 index 0000000..b6c4372 --- /dev/null +++ b/.github/workflows/pipeline.yml @@ -0,0 +1,56 @@ +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +name: pipeline + +on: + push: + branches: + - 'main' + +jobs: + build-image: + runs-on: ubuntu-latest + + permissions: + packages: write + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + + steps: + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }}/swf + + - name: Docker Login + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Setup Buildx + uses: docker/setup-buildx-action@v3 + + - name: Checkout Code + uses: actions/checkout@v4.1.1 + + - name: Build Image + shell: bash + run: | + docker buildx build -t ${{ steps.meta.outputs.tags }} --push . + + - name: Generate SBOM + shell: bash + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + syft ${{ steps.meta.outputs.tags }} --source-name=pkg:oci/${{ github.repository }} -o cyclonedx-json --file sbom.cdx.json + + - name: Upload SBOM + uses: actions/upload-artifact@v4.3.3 + with: + name: sbom + path: sbom.cdx.json diff --git a/.github/workflows/vex.yml b/.github/workflows/vex.yml new file mode 100644 index 0000000..086e12d --- /dev/null +++ b/.github/workflows/vex.yml @@ -0,0 +1,37 @@ +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +name: vex + +on: + workflow_dispatch + +jobs: + generate-vex: + runs-on: ubuntu-latest + + steps: + - name: Setup Go + uses: actions/setup-go@v5.0.0 + with: + go-version: 1.22.x + - run: go install github.com/openvex/vexctl@latest + + - name: Checkout Code + uses: actions/checkout@v4.1.1 + + - name: Generate VEX + uses: testifysec/witness-run-action@reusable-workflow # v0.2.0 + with: + archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + step: gen-vex + attestations: "environment git github vex" + command: | + /bin/sh -c 'vexctl create --product="pkg:oci/${{ github.repository }}@main" --vuln="CVE-2023-45285" --status="not_affected" --justification="inline_mitigations_already_exist" --file="./openvex.json"' + + - name: Upload VEX + uses: actions/upload-artifact@v4.3.3 + with: + name: vex + path: openvex.json diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..0f10dc6 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,25 @@ +FROM cgr.dev/chainguard/go@sha256:605d81422aba573c17bfd6029a217e94a9575179a98355a99acbb6e028ca883b AS builder + +ARG TARGETPLATFORM +ARG TARGETOS +ARG TARGETARCH +ARG TARGETVARIANT="" +ARG LDFLAGS + +ENV GO111MODULE=on \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + GOARM=${TARGETVARIANT} + +WORKDIR /build + +COPY . . + +RUN go build -o bin/software + +FROM golang:alpine3.18 + +COPY --from=builder /build/bin/software /software + +ENTRYPOINT ["/software"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..786e12d --- /dev/null +++ b/README.md @@ -0,0 +1,12 @@ +# demo-repo + +## Welcome to a JUDGE On-boarding Demo + +This is a template repository that is best used to create your own repo to customize. + +## "Typical" workflow experience (WIP) + +1. Take a look at the pipeline.yaml to see what the current build process looks like. It's a simple Docker build of a container image with a subsequent SBOM generation step. +2. Next look at PR1 +3. Next look at PR2 +4. Finally kick off the manual VEX workflow. diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..600cfc5 --- /dev/null +++ b/go.mod @@ -0,0 +1,5 @@ +module github.com/demo-john/demo-repo/swf + +go 1.21.1 + +require github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..6e66712 --- /dev/null +++ b/go.sum @@ -0,0 +1,2 @@ +github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= +github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= diff --git a/main.go b/main.go new file mode 100644 index 0000000..742970a --- /dev/null +++ b/main.go @@ -0,0 +1,14 @@ +package main + +import ( + "github.com/common-nighthawk/go-figure" +) + +func Hello() string { + return "Hello Demo!" +} + +func main() { + myFigure := figure.NewFigure(Hello(), "starwars", true) + myFigure.Print() +} diff --git a/main_test.go b/main_test.go new file mode 100644 index 0000000..247d2dd --- /dev/null +++ b/main_test.go @@ -0,0 +1,14 @@ +package main + +import ( + "testing" +) + +func TestHello(t *testing.T) { + got := Hello() + want := "Hello KubeCon!" + + if got != want { + t.Errorf("got %q want %q", got, want) + } +} diff --git a/pr-1/pipeline.yml b/pr-1/pipeline.yml new file mode 100644 index 0000000..48e7c59 --- /dev/null +++ b/pr-1/pipeline.yml @@ -0,0 +1,63 @@ +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +name: pipeline + +on: + push: + branches: + - 'main' + +jobs: + build-image: + runs-on: ubuntu-latest + + permissions: + packages: write + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + + steps: + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }}/swf + + - name: Docker Login + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Setup Buildx + uses: docker/setup-buildx-action@v3 + + - name: Checkout Code + uses: actions/checkout@v4.1.1 + + - name: Build Image + uses: testifysec/witness-run-action@reusable-workflow # v0.2.0 + with: + archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + step: build-image + attestations: "environment git github slsa" + command: /bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} --push ." + + - name: Generate SBOM + uses: testifysec/witness-run-action@reusable-workflow # v0.2.0 + with: + archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + step: gen-sbom + attestations: "environment git github sbom" + command: | + /bin/sh -c "curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.7.0 && \ + syft ${{ steps.meta.outputs.tags }} --source-name=pkg:oci/${{ github.repository }} -o cyclonedx-json --file sbom.cdx.json" + + - name: Upload SBOM + uses: actions/upload-artifact@v4.3.3 + with: + name: sbom + path: sbom.cdx.json diff --git a/pr-2/Dockerfile b/pr-2/Dockerfile new file mode 100644 index 0000000..0b525e4 --- /dev/null +++ b/pr-2/Dockerfile @@ -0,0 +1,25 @@ +FROM cgr.dev/chainguard/go@sha256:605d81422aba573c17bfd6029a217e94a9575179a98355a99acbb6e028ca883b AS builder + +ARG TARGETPLATFORM +ARG TARGETOS +ARG TARGETARCH +ARG TARGETVARIANT="" +ARG LDFLAGS + +ENV GO111MODULE=on \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + GOARM=${TARGETVARIANT} + +WORKDIR /build + +COPY . . + +RUN go build -o bin/software + +FROM cgr.dev/chainguard/static@sha256:676e989769aa9a5254fbfe14abb698804674b91c4d574bb33368d87930c5c472 + +COPY --from=builder /build/bin/software /software + +ENTRYPOINT ["/software"] diff --git a/scripts/prepare.sh b/scripts/prepare.sh new file mode 100755 index 0000000..55c285e --- /dev/null +++ b/scripts/prepare.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Create the first PR +git checkout -b enable-witness main +cp ./pr-1/pipeline.yml ./.github/workflows/pipeline.yml +git add ./.github/workflows/pipeline.yml +git commit -m "Enable witness" +git push origin enable-witness +gh pr create --base main --head enable-witness --fill + +# Create the second PR +git checkout -b reduce-cves main +cp ./pr-2/Dockerfile ./Dockerfile +git add ./Dockerfile +git commit -m "Reduce CVEs" +git push origin reduce-cves +gh pr create --base main --head reduce-cves --fill + diff --git a/scripts/tear-down.sh b/scripts/tear-down.sh new file mode 100755 index 0000000..bc0454a --- /dev/null +++ b/scripts/tear-down.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +gh repo delete --confirm \ No newline at end of file