Skip to content

nais/attest-sign

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

74 Commits
.github
.github
 
 
test
test
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

nais/attest-sign

This action generates an SBOM, attests and signs the image.

It assumes that you are already authenticated to the registry where attestations and signatures are uploaded.

Usage

env:
  registry: "some.registry/images"
  image: "myimage"

jobs:
  build_push_sign:
    runs-on: "ubuntu-latest"
    steps:
    - name: "Checkout"
      ...
    - name: "Authenticate to Google Cloud"
      ...
    - name: "Login to registry"
      ...
    - name: "Docker metadata"
      ...
    - name: "Build and push"
      id: "build_push"
      ...
    - name: "Attest and sign"
      uses: 'nais/[email protected]'
      with:
        image_ref: ${{ env.registry }}/${{ env.image }}@${{ steps.build_push.outputs.digest }}
        sbom: # By default, the SBOM is generated with Trivy from the image manifest. Can be overridden with a pre-generated SBOM.

Functionality

The action uses Trivy to generate an SBOM and cosign to sign it. It implements caching of the trivy-java-db and multiple "mirrors/repositories" to avoid being rate-limited by Github and significantly reduce the time used on subsequent runs. The trivy-java-db is updated weekly so the cache should be updated at least as often.

About

Generate SBOM, attest and sign image

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 8

v1.3.4 Latest
Feb 1, 2024
+ 7 releases

Packages

No packages published

Contributors 6

Languages