-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
154 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,6 +20,8 @@ env: | |
CONTAINER_NAME: ${{ github.repository }} | ||
CONTAINER_REGISTRY_GHCR: ghcr.io | ||
CONTAINER_REGISTRY_DOCKER_HUB: docker.io | ||
# https://github.com/sigstore/cosign/releases | ||
COSIGN_VERSION: 2.2.0 | ||
# https://npmjs.com/package/@microsoft/sarif-multitool?activeTab=versions | ||
SARIF_MULTITOOL_VERSION: 4.3.0 | ||
# https://npmjs.com/package/snyk?activeTab=versions | ||
|
@@ -79,7 +81,7 @@ jobs: | |
submodules: recursive | ||
|
||
- name: SAST - Credentials | ||
uses: trufflesecurity/trufflehog@v3.53.0 | ||
uses: trufflesecurity/trufflehog@v3.54.1 | ||
with: | ||
base: ${{ github.event.repository.default_branch }} | ||
head: HEAD | ||
|
@@ -118,7 +120,12 @@ jobs: | |
with: | ||
node-version: ${{ env.NODE_VERSION }} | ||
|
||
- name: Prepare GPG key for Helm chart | ||
- name: Setup Cosign | ||
uses: sigstore/[email protected] | ||
with: | ||
cosign-release: v${{ env.COSIGN_VERSION }} | ||
|
||
- name: Prepare GPG key | ||
run: | | ||
echo "${{ secrets.GPG_KEYRING }}" | gpg --dearmor > keyring.gpg | ||
|
@@ -135,6 +142,17 @@ jobs: | |
--version ${{ steps.version.outputs.version }} \ | ||
src/helm/azure-pipelines-agent | ||
- name: Sign Helm chart | ||
env: | ||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | ||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | ||
run: | | ||
cosign sign-blob \ | ||
--bundle .cr-release-packages/azure-pipelines-agent-${{ steps.version.outputs.version }}.tgz.bundle \ | ||
--key="env://COSIGN_PRIVATE_KEY" \ | ||
--yes \ | ||
.cr-release-packages/azure-pipelines-agent-${{ steps.version.outputs.version }}.tgz | ||
- name: Cache Helm chart | ||
uses: actions/[email protected] | ||
with: | ||
|
@@ -163,14 +181,15 @@ jobs: | |
# See: https://github.com/github/codeql-action/issues/220 | ||
- name: Merge SARIF files | ||
run: | | ||
npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} \ | ||
merge \ | ||
--merge-runs \ | ||
--output-file merged.sarif \ | ||
snyk.sarif | ||
npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} merge \ | ||
--automation-id ${{ github.run_id }} \ | ||
--merge-empty-logs \ | ||
--merge-runs \ | ||
--output-file merged.sarif \ | ||
snyk.sarif | ||
- name: Upload results to GitHub Security | ||
uses: github/codeql-action/[email protected].4 | ||
uses: github/codeql-action/[email protected].5 | ||
with: | ||
sarif_file: merged.sarif | ||
|
||
|
@@ -280,7 +299,7 @@ jobs: | |
platforms: ${{ matrix.arch }} | ||
|
||
- name: Setup Docker Buildx | ||
uses: docker/setup-buildx-action@v2.9.1 | ||
uses: docker/setup-buildx-action@v2.10.0 | ||
with: | ||
version: v${{ env.BUILDX_VERSION }} | ||
driver-opts: | | ||
|
@@ -292,6 +311,11 @@ jobs: | |
with: | ||
node-version: ${{ env.NODE_VERSION }} | ||
|
||
- name: Setup Cosign | ||
uses: sigstore/[email protected] | ||
with: | ||
cosign-release: v${{ env.COSIGN_VERSION }} | ||
|
||
- name: Login to registry - GitHub | ||
uses: docker/[email protected] | ||
with: | ||
|
@@ -376,7 +400,21 @@ jobs: | |
sbom: true | ||
tags: ${{ steps.meta.outputs.tags }} | ||
|
||
- name: Run SAST Snyk on container image | ||
- name: Sign containers | ||
env: | ||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | ||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | ||
run: | | ||
while IFS= read -r tag; do | ||
echo "Signing $tag..." | ||
cosign sign \ | ||
--key="env://COSIGN_PRIVATE_KEY" \ | ||
--recursive \ | ||
--yes \ | ||
$tag | ||
done <<< "${{ steps.meta.outputs.tags }}" | ||
- name: Run SAST Snyk against containers | ||
# Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | ||
continue-on-error: true | ||
env: | ||
|
@@ -393,19 +431,17 @@ jobs: | |
${{ steps.tag.outputs.tag }} | ||
done | ||
# Fix issue "Error: Code Scanning could not process the submitted SARIF file: rejecting SARIF, as there are more runs than allowed (XX > 20)" | ||
# See: https://github.com/github/codeql-action/issues/220 | ||
- name: Merge SARIF files | ||
run: | | ||
npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} \ | ||
merge \ | ||
--merge-runs \ | ||
--output-file merged.sarif \ | ||
--recurse true \ | ||
snyk-*.sarif | ||
npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} merge \ | ||
--automation-id ${{ github.run_id }} \ | ||
--merge-empty-logs \ | ||
--merge-runs \ | ||
--output-file merged.sarif \ | ||
*.sarif | ||
- name: Upload results to GitHub Security | ||
uses: github/codeql-action/[email protected].4 | ||
uses: github/codeql-action/[email protected].5 | ||
with: | ||
sarif_file: merged.sarif | ||
|
||
|
@@ -444,6 +480,17 @@ jobs: | |
echo "version=$(powershell cicd/version/version.ps1 -g . -c)" >> $Env:GITHUB_OUTPUT | ||
echo "version_full=$(powershell cicd/version/version.ps1 -g . -c -m)" >> $Env:GITHUB_OUTPUT | ||
# Required for running "npx" CLI | ||
- name: Setup Node | ||
uses: actions/[email protected] | ||
with: | ||
node-version: ${{ env.NODE_VERSION }} | ||
|
||
- name: Setup Cosign | ||
uses: sigstore/[email protected] | ||
with: | ||
cosign-release: v${{ env.COSIGN_VERSION }} | ||
|
||
- name: Login to registry - GitHub | ||
uses: docker/[email protected] | ||
with: | ||
|
@@ -553,7 +600,7 @@ jobs: | |
Write-Host "Pulling cache images:" | ||
foreach ($tag in $tags) { | ||
Write-Host " $tag" | ||
Write-Host " $tag" | ||
docker pull --quiet $tag || true | ||
} | ||
|
@@ -565,7 +612,22 @@ jobs: | |
docker push --quiet $tag | ||
} | ||
- name: Run SAST Snyk on container image | ||
- name: Sign containers | ||
env: | ||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | ||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | ||
run: | | ||
$tags = ('${{ steps.meta.outputs.tags }}').Split([Environment]::NewLine) | ||
foreach ($tag in $tags) { | ||
Write-Host "Signing $tag..." | ||
cosign sign ` | ||
--key="env://COSIGN_PRIVATE_KEY" ` | ||
--recursive ` | ||
--yes ` | ||
$tag | ||
} | ||
- name: Run SAST Snyk against containers | ||
# Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | ||
continue-on-error: true | ||
env: | ||
|
@@ -579,7 +641,7 @@ jobs: | |
${{ steps.tag.outputs.tag }} | ||
- name: Upload results to GitHub Security | ||
uses: github/codeql-action/[email protected].4 | ||
uses: github/codeql-action/[email protected].5 | ||
with: | ||
sarif_file: snyk.sarif | ||
|
||
|
@@ -600,7 +662,7 @@ jobs: | |
run: semgrep ci --sarif --output=semgrep.sarif | ||
|
||
- name: Upload results to GitHub Security | ||
uses: github/codeql-action/[email protected].4 | ||
uses: github/codeql-action/[email protected].5 | ||
with: | ||
sarif_file: semgrep.sarif | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,11 +24,53 @@ If you think you have found a vulnerability, please do not open an issue on GitH | |
|
||
## Chain of trust | ||
|
||
The Helm chart is signed with a GPG key. [The public key is available on Keybase at the following address.](https://keybase.io/clemlesne/pgp_keys.asc) | ||
Both the containers and the Helm chart are signed: | ||
|
||
### Containers | ||
|
||
Containers are signed with [Cosign](https://github.com/sigstore/cosign). | ||
|
||
Cosign public key is available in [`/cosign.pub`](cosign.pub). | ||
|
||
```bash | ||
# Example of verification with Cosign | ||
❯ cosign verify --key cosign.pub ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main | ||
Verification for ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main -- | ||
The following checks were performed on each of these signatures: | ||
- The cosign claims were validated | ||
- Existence of the claims in the transparency log was verified offline | ||
- The signatures were verified against the specified public key | ||
``` | ||
|
||
### Helm chart | ||
|
||
Helm chart is signed with two methods, [Cosign](https://github.com/sigstore/cosign) and [GPG](https://helm.sh/docs/topics/provenance). Both methods can be used to confirm authenticity of a build. | ||
|
||
Keys: | ||
|
||
- Cosign public key is available in [`/cosign.pub`](cosign.pub). | ||
- GPG public key is [available on Keybase](https://keybase.io/clemlesne/pgp_keys.asc) and in [`/pubring.gpg`](pubring.gpg). | ||
|
||
```bash | ||
# Example of verification with Helm native signature | ||
❯ helm fetch --keyring pubring.gpg --verify clemlesne-azure-pipelines-agent/azure-pipelines-agent --version 5.0.0 | ||
Signed by: Clémence Lesné <[email protected]> | ||
Using Key With Fingerprint: 417E701DBC66834CA752C920460D072B9C032DFD | ||
Chart Hash Verified: sha256:1c23e22cffc132ce12489480d139b59e97b3cb49ff1599a4ae11fb5c317c1e64 | ||
``` | ||
|
||
```bash | ||
# Example of verification with Cosign | ||
❯ VERSION=5.0.0 | ||
❯ wget https://github.com/clemlesne/azure-pipelines-agent/releases/download/azure-pipelines-agent-${VERSION}/azure-pipelines-agent-${VERSION}.tgz.bundle | ||
❯ helm pull clemlesne-azure-pipelines-agent/azure-pipelines-agent --version 5.0.0 | ||
❯ cosign verify-blob azure-pipelines-agent-${VERSION}.tgz --bundle azure-pipelines-agent-${VERSION}.tgz.bundle --key cosign.pub | ||
Verified OK | ||
``` | ||
|
||
## Reliability notes | ||
|
||
Systems are built every days. Each image is accompanied by a SBOM (Software Bill of Materials) which allows to verify that the installed packages are those expected. This speed has the advantage of minimizing exposure to security flaws, which will then be corrected on the build environments in 24 hours. | ||
Systems are built every days. Each image is accompanied by a [SBOM (Software Bill of Materials)](https://en.wikipedia.org/wiki/Software_supply_chain) which allows to verify that the installed packages are those expected. This speed has the advantage of minimizing exposure to security flaws, which will then be corrected on the build environments in 24 hours. | ||
|
||
Nevertheless it can happen that a package provider (e.g. Debian, Canonical, Red Hat) deploys a system update that introduces a bug. This is difficult to predict. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
-----BEGIN PUBLIC KEY----- | ||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERbXillF9UqyNmGEffSXiEQAlgiKp | ||
RJFDQRRbnqpfDYbJRAPHwDM/g13P0WOmY079JUl5tdMAoew6XK602u952Q== | ||
-----END PUBLIC KEY----- |
Binary file not shown.
Oops, something went wrong.