fix: remove unpinned image warning in lint for cosign signatures (zar…

…f-dev#2681) Signed-off-by: Tim Seagren <[email protected]>
chaospuppy · Aug 5, 2024 · c4e1fb9 · c4e1fb9
1 parent 8735812
commit c4e1fb9
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/src/pkg/packager/lint/lint.go b/src/pkg/packager/lint/lint.go
@@ -64,7 +64,6 @@ func lintComponents(ctx context.Context, pkg types.ZarfPackage, createOpts types
 		}
 
 		chain, err := composer.NewImportChain(ctx, component, i, pkg.Metadata.Name, arch, createOpts.Flavor)
-
 		if err != nil {
 			return nil, err
 		}
@@ -144,9 +143,20 @@ func isPinnedImage(image string) (bool, error) {
 		}
 		return false, err
 	}
+	if isCosignSignature(transformedImage.Tag) || isCosignAttestation(transformedImage.Tag) {
+		return true, nil
+	}
 	return (transformedImage.Digest != ""), err
 }
 
+func isCosignSignature(image string) bool {
+	return strings.HasSuffix(image, ".sig")
+}
+
+func isCosignAttestation(image string) bool {
+	return strings.HasSuffix(image, ".att")
+}
+
 func isPinnedRepo(repo string) bool {
 	return (strings.Contains(repo, "@"))
 }

diff --git a/src/pkg/packager/lint/lint_test.go b/src/pkg/packager/lint/lint_test.go
@@ -217,10 +217,14 @@ func TestValidateComponent(t *testing.T) {
 		t.Parallel()
 		unpinnedImage := "registry.com:9001/whatever/image:1.0.0"
 		badImage := "badimage:badimage@@sha256:3fbc632167424a6d997e74f5"
+		cosignSignature := "ghcr.io/stefanprodan/podinfo:sha256-57a654ace69ec02ba8973093b6a786faa15640575fbf0dbb603db55aca2ccec8.sig"
+		cosignAttestation := "ghcr.io/stefanprodan/podinfo:sha256-57a654ace69ec02ba8973093b6a786faa15640575fbf0dbb603db55aca2ccec8.att"
 		component := types.ZarfComponent{Images: []string{
 			unpinnedImage,
 			"busybox:latest@sha256:3fbc632167424a6d997e74f52b878d7cc478225cffac6bc977eedfe51c7f4e79",
 			badImage,
+			cosignSignature,
+			cosignAttestation,
 		}}
 		findings := checkForUnpinnedImages(component, 0)
 		expected := []types.PackageFinding{
@@ -333,6 +337,16 @@ func TestValidateComponent(t *testing.T) {
 				expected: true,
 				err:      nil,
 			},
+			{
+				input:    "ghcr.io/stefanprodan/podinfo:sha256-57a654ace69ec02ba8973093b6a786faa15640575fbf0dbb603db55aca2ccec8.sig",
+				expected: true,
+				err:      nil,
+			},
+			{
+				input:    "ghcr.io/stefanprodan/podinfo:sha256-57a654ace69ec02ba8973093b6a786faa15640575fbf0dbb603db55aca2ccec8.att",
+				expected: true,
+				err:      nil,
+			},
 		}
 		for _, tc := range tests {
 			t.Run(tc.input, func(t *testing.T) {