Updated main branch (#21)

* Added Flask sample app

* Moved index.html to templates folder

* Created Dockerfile for the Flask app

* Updated the README

* Added action to build image from feature branch

* Changed to use date as a tag

* Added action to build from development branch

* Added image push for Feature branch

* Added debugging echo

* Added environment reference

* Added log and temp files to .gitignore

* Added provenance generation

* Fixed penance step

* Changed to Philips-Labs action

* Fixed tags command line parameter

* Added release step with min information

* Added registry login to the release action

* Added environment for the release step

* Removed condition for release step

* Added code to retrieve container digest

* Changed code to obtain image manifest

* Removed release, added provenance step

* Fixed action yaml error

* Added sign into ACR

* Added skopeo to retrieve the digest

* Changed the provenance step to use skopeo digest

* Fixed error in the Get Image Digest step

* Changed the tags cmd line parameter format

* Fixed tag to latest

* Removed tags

* Passing digest between steps

* Fixed output reference

* Added showing the provenance step

* Cleaned up action yaml

* Switched step order

* Testing with latest image tag

* Using date tag for the image

* Removed the digest parameter for the provenance call

* Added tags for provenance call

* Added /temp folder to .gitignore

* Added step for ORAS installation

* Fixed step 'run' key

* Fixed multi-line 'run'

* Fixed multi-line 'run' key

* Checking if ORAS it properly installed

* Added step to push provenance to the registry

* Fixed ORAS version

* FIxed ORAS installation step

* FIxed provenance media type

* Added annotations

* Saved annotations to a file

* Fixed annotation JSON

* Changed location of provenance file

* Changed provenance and annotation location

* Redirected annotations output

* Fixed annotations step

* Saved files in the $HOME folder

* Fixed missing backwards slash in oras push command

* Changed to relative paths

* Added /temp folder to .gitignore

* Added step for ORAS installation

* Fixed step 'run' key

* Fixed multi-line 'run'

* Fixed multi-line 'run' key

* Checking if ORAS it properly installed

* Added step to push provenance to the registry

* Fixed ORAS version

* FIxed ORAS installation step

* FIxed provenance media type

* Added annotations

* Saved annotations to a file

* Fixed annotation JSON

* Changed location of provenance file

* Changed provenance and annotation location

* Redirected annotations output

* Fixed annotations step

* Saved files in the $HOME folder

* Fixed missing backwards slash in oras push command

* Changed to relative paths

* Added step to print the provenance file

* Added simple script to assign ownerhip to layers

* Added docker inspect and python requirements install

* Added layer annotation

* Added print of layer annotations

* Added pushing ownerhip to the registry

* Changed ownership file location

* Moved ORAS installation step

* Added pushing ownership in build step

* Removed annotations for ownerhip

* Changed the dev branch build action

* Added pub and key to .gitignore

* Added SPDX SBOM for flasksample:v1

* Added SLSA example

* Added Cosign signature manifest

* Added Cosign signature layer

* Added Cosign downloaded signature

* Added Cosign attestation files

* Added decoded payloads

* Added Cosign attestation verification output

* Added Cosign image signature verification output

* Moved signature verification output file.

* Pretty printed the outputs

* Added extracted attestation signatures

* Renamed file

* Added outputs from the ephemeral key signature verifications

* Added Rekor logentries

* Generated SBOMs in various formats

Signed-off-by: Toddy Mladenov <[email protected]>

* Added manifests pulled from DockerHub

Signed-off-by: Toddy Mladenov <[email protected]>

* Pretty formatted manifests

Signed-off-by: Toddy Mladenov <[email protected]>

* Added manifest from ACR referrers

Signed-off-by: Toddy Mladenov <[email protected]>

* Added acr manifest list output

Signed-off-by: Toddy Mladenov <[email protected]>

* Added manifests from GAR

Signed-off-by: Toddy Mladenov <[email protected]>

* Renamed file

Signed-off-by: Toddy Mladenov <[email protected]>

* Updated .gitignore

Signed-off-by: Toddy Mladenov <[email protected]>

* Added debug output for JFrog

Signed-off-by: Toddy Mladenov <[email protected]>

* Added debug output for ECR

Signed-off-by: Toddy Mladenov <[email protected]>

* Added attach debug output for Quay

Signed-off-by: Toddy Mladenov <[email protected]>

* Added manifests for Harbor

Signed-off-by: Toddy Mladenov <[email protected]>

* Added manifest for Zot registry

Signed-off-by: Toddy Mladenov <[email protected]>

* Added ORAS registry manifests

Signed-off-by: Toddy Mladenov <[email protected]>

* Added GHCR manifests

Signed-off-by: Toddy Mladenov <[email protected]>

* Demo #2 vuln mgmt. Kubecon EU 2023 (#11)

* Temp commit

Signed-off-by: Toddy Mladenov <[email protected]>

* Added demo script for copy and resign images

Signed-off-by: Toddy Mladenov <[email protected]>

---------

Signed-off-by: Toddy Mladenov <[email protected]>

* Fixed artifact type for CycloneDX (#12)

* Temp commit

Signed-off-by: Toddy Mladenov <[email protected]>

* Added demo script for copy and resign images

Signed-off-by: Toddy Mladenov <[email protected]>

* Fived CycloneDX artifactType

Signed-off-by: Toddy Mladenov <[email protected]>

---------

Signed-off-by: Toddy Mladenov <[email protected]>

* kubeconeu23 notary demos (#13)

* Updated .gitignore

Signed-off-by: Toddy Mladenov <[email protected]>

* Added demo script for signing with Notation

Signed-off-by: Toddy Mladenov <[email protected]>

* Changed the typing speed for local and remote signing

Signed-off-by: Toddy Mladenov <[email protected]>

* Changed the env var name

Signed-off-by: Toddy Mladenov <[email protected]>

* Added trust store and trust policy demo script

Signed-off-by: Toddy Mladenov <[email protected]>

* Added troubleshooting demo script

Signed-off-by: Toddy Mladenov <[email protected]>

* Added local sign demo script

Signed-off-by: Toddy Mladenov <[email protected]>

---------

Signed-off-by: Toddy Mladenov <[email protected]>

* Demo script fixes (#14)

* Updated .gitignore

Signed-off-by: Toddy Mladenov <[email protected]>

* Added demo script for signing with Notation

Signed-off-by: Toddy Mladenov <[email protected]>

* Changed the typing speed for local and remote signing

Signed-off-by: Toddy Mladenov <[email protected]>

* Changed the env var name

Signed-off-by: Toddy Mladenov <[email protected]>

* Added trust store and trust policy demo script

Signed-off-by: Toddy Mladenov <[email protected]>

* Added troubleshooting demo script

Signed-off-by: Toddy Mladenov <[email protected]>

* Added local sign demo script

Signed-off-by: Toddy Mladenov <[email protected]>

* Removed unneccessary ls command

Signed-off-by: Toddy Mladenov <[email protected]>

* Changed env var name

Signed-off-by: Toddy Mladenov <[email protected]>

* Added more prep steps

Signed-off-by: Toddy Mladenov <[email protected]>

---------

Signed-off-by: Toddy Mladenov <[email protected]>

* Added additional cleanup commands (#15)

Signed-off-by: Toddy Mladenov <[email protected]>

* Added image lifecycle metadata demo script and cast (#16)

Signed-off-by: Toddy Mladenov <[email protected]>

* Renamed demo script for image lifecycle (#17)

* Added image lifecycle metadata demo script and cast

Signed-off-by: Toddy Mladenov <[email protected]>

* Renamed demo script for lifecycle management

Signed-off-by: Toddy Mladenov <[email protected]>

---------

Signed-off-by: Toddy Mladenov <[email protected]>

* Removed outdated file (#18)

* Added image lifecycle metadata demo script and cast

Signed-off-by: Toddy Mladenov <[email protected]>

* Renamed demo script for lifecycle management

Signed-off-by: Toddy Mladenov <[email protected]>

* Deleted outdated file

Signed-off-by: Toddy Mladenov <[email protected]>

---------

Signed-off-by: Toddy Mladenov <[email protected]>

* Added demo scripts for demose (#19)

* Added emo script for plugin install

Signed-off-by: Toddy Mladenov <[email protected]>

* Added demo script for signing and verification with test key

Signed-off-by: Toddy Mladenov <[email protected]>

* Added demo script for signing with remote key

Signed-off-by: Toddy Mladenov <[email protected]>

---------

Signed-off-by: Toddy Mladenov <[email protected]>

* Added cleanup step and updated script

Signed-off-by: Toddy Mladenov <[email protected]>

* Added cleanup steps

Signed-off-by: Toddy Mladenov <[email protected]>

* Added more cleanup steps

Signed-off-by: Toddy Mladenov <[email protected]>

* Renamed demo scripts (#20)

Signed-off-by: Toddy Mladenov <[email protected]>

---------

Signed-off-by: Toddy Mladenov <[email protected]>

.github/workflows/build-dev.yaml

@@ -0,0 +1,81 @@
+name: Build Feature Branch
+
+on:
+  # Triggers only for the feature/ branches
+  push:
+    branches: [ 'development' ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    environment: development
+    outputs:
+      container_digest: ${{ steps.container_info.outputs.container_digest }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Print the Secret
+        run: echo ${{ secrets.ACR_LOGIN_SERVER }}
+
+      - name: Build Docker image
+        #run: docker build . --file Dockerfile --tag ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d')
+        run: docker build . --file Dockerfile --tag ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:latest
+
+      - name: Login to the Container Registry  
+        uses: azure/docker-login@v1
+        with:
+          login-server: ${{ secrets.ACR_LOGIN_SERVER }}
+          username: ${{ secrets.ACR_CLIENT_ID }}
+          password: ${{ secrets.ACR_CLIENT_SECRET }}
+
+      - name: Push Image to ACR
+        #run: docker push ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d')
+        run: docker push ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:latest
+
+      # - name: Get Container Digest
+      #   id: container_info
+      #   run: |
+      #     export CONTAINER_DIGEST=$(docker image inspect ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') | jq .[0].Id)
+      #     echo $CONTAINER_DIGEST
+      #     echo "::set-output name=container_digest::$CONTAINER_DIGEST"
+
+  provenance:
+    name: provenance
+    runs-on: ubuntu-latest
+    needs: [build]
+    environment: development
+
+    steps:
+      - name: Login to the Container Registry  
+        uses: azure/docker-login@v1
+        with:
+          login-server: ${{ secrets.ACR_LOGIN_SERVER }}
+          username: ${{ secrets.ACR_CLIENT_ID }}
+          password: ${{ secrets.ACR_CLIENT_SECRET }}
+
+      - name: Install Skopeo
+        run: sudo apt-get update && sudo apt-get -y install skopeo
+
+      - name: Get Image Digest
+        id: get_image_digest
+        run: |
+          #export CONTAINER_DIGEST=$(skopeo inspect docker://${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') | jq .Digest)
+          echo ::set-output name=docker_digest::$(skopeo inspect docker://${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:latest | jq .Digest)
+          echo $CONTAINER_DIGEST
+
+      - name: Generate Provenance for Container
+        uses: philips-labs/[email protected]
+        with:
+          command: generate
+          subcommand: container
+          #arguments: --repository ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample --output-path provenance.att --digest ${{ needs.build.outputs.container_digest }} --tags $(date +'%Y-%m-%d')
+          #arguments: --repository ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample --output-path provenance.att --digest $CONTAINER_DIGEST --tags $(date +'%Y-%m-%d')
+          arguments: --repository ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample --output-path provenance.att --digest ${{ steps.get_image_digest.outputs.docker_digest }}
+
+      - name: Show Provenance for Container
+        run: cat provenance.att

.github/workflows/build-feature.yaml

@@ -0,0 +1,125 @@
+name: Build Feature Branch
+
+on:
+  # Triggers only for the feature/ branches
+  push:
+    branches: [ 'feature/**' ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    environment: development
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install ORAS
+        run: |
+            curl -LO https://github.com/oras-project/oras/releases/download/v0.2.1-alpha.1/oras_0.2.1-alpha.1_linux_amd64.tar.gz
+            mkdir -p oras-install/ 
+            tar -zxf oras_0.2.*.tar.gz -C oras-install/ 
+            mv oras-install/oras /usr/local/bin/ 
+            rm -rf oras_0.2.*.tar.gz oras-install/
+
+      - name: Build Docker Image
+        run: docker build . --file Dockerfile --tag ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d')
+
+      - name: Get Docker Content Manifest
+        run: docker inspect ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') > inspect.json
+
+      - name: Prepare Python Environment
+        run: pip install -r ./utils/requirements.txt
+
+      - name: Annotate Layers
+        run: |
+          python ./utils/layer_annotate.py \
+          -d ./Dockerfile \
+          -c ./inspect.json \
+          -o ${{ github.actor }} \
+          -s ${{ github.sha }} \
+          -r ${{ github.repository }} \
+          -f ./ownership.json
+
+      - name: Print Layer Annotations
+        run: cat ./ownership.json
+
+      - name: Login to the Container Registry  
+        uses: azure/docker-login@v1
+        with:
+          login-server: ${{ secrets.ACR_LOGIN_SERVER }}
+          username: ${{ secrets.ACR_CLIENT_ID }}
+          password: ${{ secrets.ACR_CLIENT_SECRET }}
+
+      - name: Push Image to ACR
+        run: docker push ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d')
+
+      - name: Push Ownership to the Registry
+        run: |
+          oras push ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample \
+          --artifact-type 'application/ownership+json' \
+          --subject ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') \
+          ./ownership.json:application/json
+
+  provenance:
+    name: provenance
+    runs-on: ubuntu-latest
+    needs: [build]
+    environment: development
+
+    steps:
+      - name: Install Skopeo
+        run: sudo apt-get update && sudo apt-get -y install skopeo
+
+      - name: Install ORAS
+        run: |
+            curl -LO https://github.com/oras-project/oras/releases/download/v0.2.1-alpha.1/oras_0.2.1-alpha.1_linux_amd64.tar.gz
+            mkdir -p oras-install/ 
+            tar -zxf oras_0.2.*.tar.gz -C oras-install/ 
+            mv oras-install/oras /usr/local/bin/ 
+            rm -rf oras_0.2.*.tar.gz oras-install/
+
+      - name: Login to the Container Registry  
+        uses: azure/docker-login@v1
+        with:
+          login-server: ${{ secrets.ACR_LOGIN_SERVER }}
+          username: ${{ secrets.ACR_CLIENT_ID }}
+          password: ${{ secrets.ACR_CLIENT_SECRET }}
+
+      - name: Get Image Digest
+        id: get_image_digest
+        run: |
+          echo ::set-output name=docker_digest::$(skopeo inspect docker://${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') | jq .Digest)
+
+      - name: Generate SLSA Provenance for Container
+        uses: philips-labs/[email protected]
+        with:
+          command: generate
+          subcommand: container
+          arguments: --repository ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample --output-path ./provenance.json --digest ${{ steps.get_image_digest.outputs.docker_digest }} --tags "$(date +'%Y-%m-%d')"
+
+      - name: Print Provenance Details
+        run: |
+          cat ./provenance.json
+
+      - name: Generate Annotation File
+        run: |
+          echo \
+          '''{
+              "$manifest": {
+                "io.azurecr.image.author": "${{ github.actor }}",
+                "io.azurecr.image.commit-sha": "${{ github.sha }}", 
+                "io.azurecr.image.repository": "${{ github.repository }}" 
+              }
+            }''' > ./annotations.json
+
+      - name: Push SLSA Provenance to the Registry
+        run: |
+          oras push ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample \
+          --artifact-type 'application/slsa+json' \
+          --subject ${{ secrets.ACR_LOGIN_SERVER }}/flask-sample:$(date +'%Y-%m-%d') \
+          --manifest-annotations ./annotations.json \
+          ./provenance.json:application/json

.gitignore

@@ -127,3 +127,20 @@ dmypy.json
 
 # Pyre type checker
 .pyre/
+
+# Log files
+*.log
+
+# Temp files
+/temp
+*.tmp
+*.temp
+
+# Key and cert files
+*.key
+*.pub
+
+# MacOS files
+.DS_Store
+*.tar
+.vscode/*

Dockerfile

@@ -0,0 +1,13 @@
+FROM python:3.10-slim
+
+COPY ./sample/requirements.txt /app/requirements.txt
+
+WORKDIR /app
+
+RUN pip install -r requirements.txt
+
+COPY ./sample /app
+
+ENTRYPOINT [ "python" ]
+
+CMD [ "view.py" ]

README.md

@@ -1,2 +1,2 @@
 # cssc-pipeline
-Sample CI/CD pipeline for creating container images with provenance details.
+Sample CI/CD pipeline for demonstrating the secure supply chain tools for containers.