Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign main branch Unified container builds with cosign and perform security scanning #1192

Merged
merged 1 commit into from
Dec 16, 2024

Conversation

withinfocus
Copy link
Contributor

🎟️ Tracking

https://bitwarden.atlassian.net/browse/VULN-130

📔 Objective

Signs Unified container images built off main with Cosign. This uses Sigstore's in-house certificate authority with short-lived keys that are all self-managed with the tool, which will also utilize GitHub's provided OIDC entity. As part of an effort to increase transparency of what we build as an open source company, these signatures are also sent to Rekor -- users of our images are then free to verify the images against that log.

Also throws in container security scanning as that's adjacent in other builds.

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
    team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
    issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@withinfocus withinfocus marked this pull request as ready for review December 13, 2024 20:58
@withinfocus withinfocus requested review from a team as code owners December 13, 2024 20:58
Copy link
Contributor

Logo
Checkmarx One – Scan Summary & Details10336185-d042-4dcc-85e6-c9c753371005

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 9 When installing a package, its pin version should be defined
MEDIUM Missing_HSTS_Header /languages/php/example.php: 3 Attack Vector
MEDIUM Privacy_Violation /languages/java/src/main/java/com/bitwarden/sdk/BitwardenClient.java: 43 Attack Vector
MEDIUM Privacy_Violation /languages/java/example/Example.java: 46 Attack Vector
MEDIUM Privacy_Violation /languages/java/src/main/java/com/bitwarden/sdk/BitwardenClient.java: 43 Attack Vector
MEDIUM Privacy_Violation /languages/java/src/main/java/com/bitwarden/sdk/BitwardenClient.java: 43 Attack Vector
MEDIUM Privacy_Violation /languages/java/src/main/java/com/bitwarden/sdk/BitwardenClient.java: 43 Attack Vector
MEDIUM Privacy_Violation /languages/java/src/main/java/com/bitwarden/sdk/BitwardenClient.java: 43 Attack Vector
MEDIUM Privacy_Violation /languages/java/src/main/java/com/bitwarden/sdk/SecretsClient.java: 41 Attack Vector
MEDIUM Privacy_Violation /languages/java/example/Example.java: 43 Attack Vector
MEDIUM Privacy_Violation /languages/java/example/Example.java: 53 Attack Vector
MEDIUM Privacy_Violation /languages/java/src/main/java/com/bitwarden/sdk/SecretsClient.java: 20 Attack Vector
MEDIUM Privacy_Violation /languages/java/src/main/java/com/bitwarden/sdk/SecretsClient.java: 41 Attack Vector
MEDIUM Privacy_Violation /languages/java/src/main/java/com/bitwarden/sdk/SecretsClient.java: 138 Attack Vector
LOW Healthcheck Instruction Missing /Dockerfile: 33 Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW Missing_CSP_Header /about.hbs: 48 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 129 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 159 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 122 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 115 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 151 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 129 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 159 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 159 Attack Vector
LOW Privacy_Violation /languages/cpp/src/Secrets.cpp: 56 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 151 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 129 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 159 Attack Vector
LOW Privacy_Violation /languages/cpp/src/Secrets.cpp: 139 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 122 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 115 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 151 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 129 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 159 Attack Vector
LOW Privacy_Violation /languages/cpp/src/Secrets.cpp: 107 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 159 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 136 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 151 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 129 Attack Vector
LOW Privacy_Violation /languages/cpp/src/BitwardenClient.cpp: 115 Attack Vector
LOW Unpinned Actions Full Length Commit SHA /publish-napi.yml: 110 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-cli-docker.yml: 57 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-java.yml: 98 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-wasm.yml: 86 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-dotnet.yml: 88 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-ruby.yml: 24 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-php.yml: 176 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-java.yml: 82 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-python.yml: 107 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-cli-docker.yml: 64 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-bws.yml: 172 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-php.yml: 89 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-go.yml: 69 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-napi.yml: 44 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-cpp.yml: 65 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-ruby.yml: 51 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-dotnet.yml: 54 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-bws.yml: 43 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-cli.yml: 85 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-wasm.yml: 42 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-bws.yml: 166 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-rust-crates.yml: 76 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-bws.yml: 51 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-go.yml: 89 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-cli.yml: 172 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-ruby.yml: 92 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /version-bump.yml: 53 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-cli.yml: 337 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release-cpp.yml: 59 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-cli-docker.yml: 165 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /publish-bws.yml: 92 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

@withinfocus
Copy link
Contributor Author

The build failures are existing.

@withinfocus
Copy link
Contributor Author

@dani-garcia since you approved the other one can you take a look here? Thanks.

@withinfocus withinfocus merged commit 201a680 into main Dec 16, 2024
77 of 80 checks passed
@withinfocus withinfocus deleted the cosign branch December 16, 2024 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants