Generate & attest vulnerability scan report

digitalservicebund · Nov 22, 2023 · 6821174 · 6821174
1 parent 3b6d372
commit 6821174
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -152,9 +152,6 @@ jobs:
         # Third-party action, pin to commit SHA!
         # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
         uses: aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
         with:
           scan-type: "fs"
           skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
@@ -208,6 +205,22 @@ jobs:
           docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
           echo "IMAGE_DIGEST=$(docker images --no-trunc --quiet ${{ env.IMAGE_NAME }}:${{ github.sha }})" >> "$GITHUB_ENV"
 
+      - name: Generate cosign vulnerability scan record
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: "cosign-vuln"
+          output: "vulnerabilities.json"
+
+      - name: Upload cosign vulnerability scan record
+        uses: actions/upload-artifact@v3
+        with:
+          name: "vulnerabilities.json"
+          path: "vulnerabilities.json"
+          if-no-files-found: error
+
       - name: Install cosign
         # Third-party action, pin to commit SHA!
         # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
@@ -233,6 +246,11 @@ jobs:
         # against the sigstore community Fulcio instance.
         run: cosign sign ghcr.io/${{ env.IMAGE_NAME }}@${{ env.IMAGE_DIGEST }}
 
+      - name: Attest the vulnerability scan
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
+
   deploy-staging:
     runs-on: ubuntu-latest
     if: ${{ github.ref == 'refs/heads/main' }}

diff --git a/.talismanrc b/.talismanrc
@@ -1,6 +1,6 @@
 fileignoreconfig:
 - filename: .github/workflows/pipeline.yml
-  checksum: 3eaacc416259a731197e557f234d0413c734b237555100cd616b87f2835bce82
+  checksum: d08390039a10da00501e4278d261ee59fa09193a33893e01daf91d4c5015bf2d
 - filename: .github/workflows/scan.yml
   checksum: b06430d20570ad4ce61e6078af8a2851ef1c1bf832f0a4f70c490bde1f533cdd
 - filename: README.md