9898 labels : ${{ steps.image-labels.outputs.labels }}
9999 push : true
100100 platforms : linux/amd64,linux/arm64
101+ - name : Install Cosign
102+ uses : sigstore/cosign-installer@v4.0.0
103+ with :
104+ cosign-release : ' v2.5.3'
105+ - name : Sign image using cosign
106+ id : cosign-sign
107+ run : |
108+ echo "TAGS=${TAGS}"
109+ echo "DIGEST=${DIGEST}"
110+ images=""
111+ for tag in ${TAGS}; do
112+ images+="${{ env.REGISTRY}}${{ env.REGISTRY_REPO }}:${tag}@${DIGEST} "
113+ done
114+ echo "images=${images}" >> $GITHUB_OUTPUT
115+ cosign login -u ${{ env.REGISTRY_USER }} -p ${{ env.REGISTRY_PASSWORD }} ${{ env.REGISTRY }}
116+ cosign sign --key env://COSIGN_PRIVATE_KEY --tlog-upload=false ${images}
117+ env :
118+ TAGS : ${{ steps.tag.outputs.image-tag }}
119+ DIGEST : ${{ steps.build-push.outputs.digest }}
120+ REGISTRY : ${{ vars.REGISTRY_HOST }}
121+ REGISTRY_REPO : ${{ vars.REGISTRY_REPO }}
122+ REGISTRY_USER : ${{ vars.REGISTRY_AUTH_USER }}
123+ REGISTRY_PASSWORD : ${{ secrets.REGISTRY_AUTH_TOKEN }}
124+ COSIGN_PASSWORD : ${{ secrets.COSIGN_PASSWORD }}
125+ COSIGN_PRIVATE_KEY : ${{ secrets.COSIGN_PRIVATE_KEY }}
126+ - name : Verify signature
127+ run : |
128+ cosign verify --insecure-ignore-tlog=true --key env://COSIGN_PUBLIC_KEY ${IMAGES}
129+ env :
130+ IMAGES : ${{ steps.cosign-sign.outputs.images }}
131+ COSIGN_PUBLIC_KEY : ${{ secrets.COSIGN_PUBLIC_KEY }}
101132
102133 scan-image :
103134 name : Vulnerability scan
@@ -111,7 +142,7 @@ jobs:
111142 TRIVY_USERNAME : ${{ vars.REGISTRY_AUTH_USER }}
112143 TRIVY_PASSWORD : ${{ secrets.REGISTRY_AUTH_TOKEN }}
113144 with :
114- image-ref : ' ${{ vars.REGISTRY_HOST }}${{ vars.REGISTRY_REPO }}@${{ needs.build-push-image.outputs.image-digest }}'
115- exit-code : ' 1 '
116- vuln-type : ' os,library'
117- severity : ' CRITICAL,HIGH'
145+ image-ref : " ${{ vars.REGISTRY_HOST }}${{ vars.REGISTRY_REPO }}@${{ needs.build-push-image.outputs.image-digest }}"
146+ exit-code : " 1 "
147+ vuln-type : " os,library"
148+ severity : " CRITICAL,HIGH"
0 commit comments