change in-toto to witness #23

Workflow file for this run

	name: Container Security Lab

	on:
	push:
	branches:
	- '*'
	pull_request:

	env:
	IMAGE_NAME: ${{ github.event.repository.name }}
	VERSION: 'latest'

	jobs:
	codeql:
	name: Run CodeQL SAST
	runs-on: ubuntu-latest
	permissions:
	security-events: write

	steps:
	- name: Checkout Code
	uses: actions/checkout@v4

	- name: Install Witness
	run: \|
	curl -LO https://github.com/in-toto/witness/releases/download/v0.1.0/witness-linux-amd64
	chmod +x witness-linux-amd64
	sudo mv witness-linux-amd64 /usr/local/bin/witness

	- name: Run CodeQL Analysis and Record with Witness
	run: \|
	witness run --name "codeql-sast" --step-name "Run CodeQL SAST" -- github/codeql-action/init@v3 --languages javascript-typescript

	- name: Perform CodeQL Analysis
	run: \|
	witness run --name "codeql-analysis" --step-name "Analyze with CodeQL" -- github/codeql-action/analyze@v3 --category "/language:javascript-typescript"

	build-push:
	name: Build and Push Container Image
	runs-on: ubuntu-latest
	needs: codeql

	steps:
	- name: Checkout Code
	uses: actions/checkout@v4

	- name: Install Witness
	run: \|
	curl -LO https://github.com/in-toto/witness/releases/download/v0.1.0/witness-linux-amd64
	chmod +x witness-linux-amd64
	sudo mv witness-linux-amd64 /usr/local/bin/witness

	- name: Set up Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@v3

	- name: Login to Dockerhub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Build and Publish Container Image and Record with Witness
	run: \|
	witness run --name "build-push" --step-name "Build and Push Image" -- docker/build-push-action@v3 --push true

	trivy:
	name: Run Trivy Scan
	runs-on: ubuntu-latest
	needs: build-push

	steps:
	- name: Install Witness
	run: \|
	curl -LO https://github.com/in-toto/witness/releases/download/v0.1.0/witness-linux-amd64
	chmod +x witness-linux-amd64
	sudo mv witness-linux-amd64 /usr/local/bin/witness

	- name: Run Trivy Scan and Record with Witness
	run: \|
	witness run --name "trivy-scan" --step-name "Run Trivy Scan" -- trivy image ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}

	sign:
	name: Sign Container Image with Cosign
	runs-on: ubuntu-latest
	needs: trivy

	steps:
	- name: Install Cosign and Witness
	run: \|
	curl -LO https://github.com/in-toto/witness/releases/download/v0.1.0/witness-linux-amd64
	chmod +x witness-linux-amd64
	sudo mv witness-linux-amd64 /usr/local/bin/witness
	curl -LO https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64
	chmod +x cosign-linux-amd64
	sudo mv cosign-linux-amd64 /usr/local/bin/cosign

	- name: Sign Container Image and Record with Witness
	run: \|
	witness run --name "cosign-sign" --step-name "Sign Image with Cosign" -- cosign sign --key-env COSIGN_KEY ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}

	validate-container:
	name: Validate Container Image
	runs-on: ubuntu-latest
	needs: sign

	steps:
	- name: Install Cosign and Witness
	run: \|
	curl -LO https://github.com/in-toto/witness/releases/download/v0.1.0/witness-linux-amd64
	chmod +x witness-linux-amd64
	sudo mv witness-linux-amd64 /usr/local/bin/witness
	curl -LO https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64
	chmod +x cosign-linux-amd64
	sudo mv cosign-linux-amd64 /usr/local/bin/cosign

	- name: Verify Cosign Signature and Record with Witness
	run: \|
	witness run --name "verify-signature" --step-name "Verify Signature" -- cosign verify --key cosign.key ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}

	- name: Generate SBOM with Anchore and Record with Witness
	uses: anchore/sbom-action@v0
	with:
	image: ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
	format: cyclonedx
	upload-artifact-retention: 30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

change in-toto to witness #23

Workflow file

change in-toto to witness #23

Jobs

Run details

Workflow file for this run