feat: SLSA 3

Updates the CI to make policy server SLSA 3 complaint by providing the
SBOM and provenance files.

Signed-off-by: José Guilherme Vanz <[email protected]>

.github/workflows/attestation.yml

@@ -0,0 +1,138 @@
+name: Sign attestation files
+
+on:
+  workflow_call:
+    inputs:
+      image-digest:
+        type: string
+        required: true
+
+jobs:
+  sbom:
+    name: Fetch, sign and verify SBOM and provenance files
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    permissions:
+      packages: write
+      id-token: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+
+      - name: Install the crane command
+        uses: kubewarden/github-actions/crane-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify container image signature
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/attestation.yml@${{ github.ref }}" \
+            ghcr.io/${{ github.repository_owner }}/policy-server@${{ inputs.image-digest }}
+
+      - name: Find platform digest
+        shell: bash
+        run: |
+          set -e
+          DIGEST=$(crane digest \
+            --platform "linux/${{ matrix.arch }}" \
+            ghcr.io/${{ github.repository_owner }}/policy-server@${{ inputs.image-digest }})
+          echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Find attestation digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ inputs.image-digest }} \
+            | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest'
+          )
+          echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign attestation manifest
+        run: |
+          cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/attestation.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}}
+
+      - name: Find provenance manifest digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
+            jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
+          echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign provenance manifest
+        run: |
+          cosign sign --yes \
+          ghcr.io/${{github.repository_owner}}/policy-server@${{ env.PROVENANCE_DIGEST}}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/attestation.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/policy-server@${{ env.PROVENANCE_DIGEST}}
+
+      - name: Find SBOM manifest layers digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} |  \
+            jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
+          echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign SBOM layers
+        run: |
+          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
+            cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/policy-server@$sbom_digest
+          done
+
+      - name: Verify SBOM layers
+        run: |
+          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
+            cosign verify \
+              --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+              --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/attestation.yml@${{ github.ref }}" \
+              ghcr.io/${{github.repository_owner}}/policy-server@$sbom_digest
+          done
+
+      - name: Download provenance and SBOM files
+        run: |
+          set -e
+          crane blob ghcr.io/${{github.repository_owner}}/policy-server@${{ env.PROVENANCE_DIGEST}} > policy-server-attestation-${{ matrix.arch }}-provenance.json
+          md5sum policy-server-attestation-${{ matrix.arch }}-provenance.json >> policy-server-attestation-${{ matrix.arch }}-checksum.txt
+
+
+          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
+            crane blob ghcr.io/${{github.repository_owner}}/policy-server@$sbom_digest > policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json
+            md5sum policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json >> policy-server-attestation-${{ matrix.arch }}-checksum.txt
+          done
+            
+      - name: Sign checksum file
+        run: |
+          cosign sign-blob --yes \
+            --bundle policy-server-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
+            policy-server-attestation-${{ matrix.arch }}-checksum.txt
+            
+          cosign verify-blob \
+            --bundle policy-server-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/attestation.yml@${{ github.ref }}" \
+            policy-server-attestation-${{ matrix.arch }}-checksum.txt
+
+      - name: Upload SBOMs as artifacts
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: attestation-${{ matrix.arch }}
+          path: policy-server-attestation-${{ matrix.arch }}*

.github/workflows/container-build.yml

@@ -31,8 +31,8 @@ jobs:
       image-digest: ${{ needs.build.outputs.digest }}
 
   sbom:
-    needs: build
-    uses: ./.github/workflows/sbom.yml
+    needs: sign
+    uses: ./.github/workflows/attestation.yml
     permissions:
       packages: write
       id-token: write

.github/workflows/container-image.yml

@@ -8,46 +8,10 @@ on:
         value: ${{ jobs.build.outputs.digest }}
 
 jobs:
-  cross-build:
-    name: Cross compile policy-server binary
-    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        targetarch:
-          - aarch64
-          - x86_64
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-
-      - name: Setup rust toolchain
-        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
-        with:
-          toolchain: stable
-          target: ${{matrix.targetarch}}-unknown-linux-musl
-          override: true
-
-      - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
-        with:
-          use-cross: true
-          command: build
-          args: --release --target ${{matrix.targetarch}}-unknown-linux-musl
-
-      - name: Upload policy-server binary
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
-        with:
-          name: policy-server-${{ matrix.targetarch }}
-          path: |
-            target/${{ matrix.targetarch }}-unknown-linux-musl/release/policy-server
-
   build:
     name: Build container image
     permissions:
       packages: write
-    needs:
-      - cross-build
     runs-on: ubuntu-latest
     outputs:
       repository: ${{ steps.setoutput.outputs.repository }}
@@ -57,55 +21,48 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Download the policy-server artifacts we've built inside of the previous job
-      - name: Download policy-server-x86_64 artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: policy-server-x86_64
-          path: artifacts-x86_64
-      - name: Download policy-server-aarch64 artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: policy-server-aarch64
-          path: artifacts-aarch64
-      - name: Move binaries to project root
-        run: |
-          mv artifacts-x86_64/policy-server policy-server-x86_64
-          mv artifacts-aarch64/policy-server policy-server-aarch64
-
       - name: Retrieve tag name (main branch)
         if: ${{ startsWith(github.ref, 'refs/heads/main') }}
         run: |
           echo TAG_NAME=latest >> $GITHUB_ENV
+
       - name: Retrieve tag name (feat branch)
         if: ${{ startsWith(github.ref, 'refs/heads/feat') }}
         run: |
           echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
+          
       - name: Retrieve tag name (tag)
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
         run: |
           echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
+
       - name: Push and push container image
         id: build-image
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: .
-          file: ./Dockerfile.github
+          file: ./Dockerfile
           platforms: linux/amd64, linux/arm64
           push: true
+          sbom: true
+          provenance: mode=max
           tags: |
             ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }}
+
       - id: setoutput
         name: Set output parameters
         run: |

.github/workflows/sign-image.yml

@@ -30,3 +30,8 @@ jobs:
         run: |
           cosign sign --yes \
             ghcr.io/${{github.repository_owner}}/policy-server@${{ inputs.image-digest }}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/attestation.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/policy-server@${{ inputs.image-digest }}

Dockerfile

@@ -1,22 +1,51 @@
-FROM rust:1.80-alpine AS build
+FROM --platform=${BUILDPLATFORM} ghcr.io/cross-rs/aarch64-unknown-linux-musl:0.2.5 AS build-arm64
+ARG BUILDPLATFORM
+ARG TARGETPLATFORM
+
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --target aarch64-unknown-linux-musl  --default-toolchain stable
+
+ENV PATH=/root/.cargo/bin:$PATH 
+RUN cargo --version
+
 WORKDIR /usr/src
 
-RUN apk add --no-cache musl-dev make 
+RUN mkdir /usr/src/policy-server
+WORKDIR /usr/src/policy-server
+COPY ./ ./
+
+RUN cargo install --target aarch64-unknown-linux-musl --path .
+
+FROM --platform=${BUILDPLATFORM} ghcr.io/cross-rs/x86_64-unknown-linux-musl:0.2.5 AS build-amd64
+ARG BUILDPLATFORM
+ARG TARGETPLATFORM
+
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --target x86_64-unknown-linux-musl  --default-toolchain stable
+
+ENV PATH=/root/.cargo/bin:$PATH 
+RUN cargo --version
+
+WORKDIR /usr/src
 
 RUN mkdir /usr/src/policy-server
 WORKDIR /usr/src/policy-server
 COPY ./ ./
-RUN cargo install --target $(arch)-unknown-linux-musl --path .
 
-FROM alpine AS cfg
+RUN cargo install --target x86_64-unknown-linux-musl --path .
+
+FROM --platform=$BUILDPLATFORM alpine AS cfg
 RUN echo "policy-server:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
 RUN echo "policy-server:x:65533:policy-server" >> /etc/group
 
+FROM scratch AS copy-amd64
+COPY --from=build-amd64 --chmod=0755 /root/.cargo/bin/policy-server /policy-server
+
+FROM scratch AS copy-arm64
+COPY --from=build-arm64 --chmod=0755 /root/.cargo/bin/policy-server /policy-server
+
 # Copy the statically-linked binary into a scratch container.
-FROM scratch
+FROM copy-${TARGETARCH}
 COPY --from=cfg /etc/passwd /etc/passwd
 COPY --from=cfg /etc/group /etc/group
-COPY --from=build --chmod=0755 /usr/local/cargo/bin/policy-server /policy-server
 ADD Cargo.lock /Cargo.lock
 USER 65533:65533
 EXPOSE 3000

Makefile

@@ -2,6 +2,9 @@ SHELL := /bin/bash
 IMG ?= policy-server:latest
 BINDIR ?= bin
 SBOM_GENERATOR_TOOL_VERSION ?= v0.0.15
+RUST_TARGET?=x86_64
+CONTAINER_PLATFORM?=linux/amd64
+
 
 SOURCE_FILES := $(shell test -e src/ && find src -type f)
 
@@ -57,8 +60,8 @@ tag:
 	@git tag -s -a -m "${TAG}"  "${TAG}"
 
 .PHONY: docker-build
-docker-build: test ## Build docker image with the manager.
-	docker build -t ${IMG} .
+docker-build: #test ## Build docker image with the manager.
+	docker build --platform $(CONTAINER_PLATFORM) -t ${IMG} .
 
 bin:
 	mkdir $(BINDIR)