{"id":18941425,"url":"https://github.com/mchmarny/s3cme","last_synced_at":"2025-06-23T00:39:19.142Z","repository":{"id":65239106,"uuid":"588304121","full_name":"mchmarny/s3cme","owner":"mchmarny","description":"Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance","archived":false,"fork":false,"pushed_at":"2024-04-23T16:01:43.000Z","size":3907,"stargazers_count":104,"open_issues_count":11,"forks_count":10,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-15T22:52:21.167Z","etag":null,"topics":["attestation","cosine","oidc","provenance","sbom","slsa","supply-chain-security","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mchmarny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-12T20:07:37.000Z","updated_at":"2025-01-27T19:33:23.000Z","dependencies_parsed_at":"2024-01-28T19:27:42.326Z","dependency_job_id":"6a2eb640-facc-404f-ab6a-76e248ecfa9f","html_url":"https://github.com/mchmarny/s3cme","commit_stats":null,"previous_names":[],"tags_count":134,"template":true,"template_full_name":null,"purl":"pkg:github/mchmarny/s3cme","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fs3cme","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fs3cme/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fs3cme/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fs3cme/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mchmarny","download_url":"https://codeload.github.com/mchmarny/s3cme/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fs3cme/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261391267,"owners_count":23151662,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attestation","cosine","oidc","provenance","sbom","slsa","supply-chain-security","vulnerability"],"created_at":"2024-11-08T12:28:02.107Z","updated_at":"2025-06-23T00:39:14.127Z","avatar_url":"https://github.com/mchmarny.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# s3cme\n\nSample Go app repo with test and release pipelines optimized for software supply chain security (S3C).\n\n![](images/workflow-tag.png)\n\n* [Repo Usage](#usage)\n* [Provenance Verification](#provenance-verification)\n  * [Manual](#manual)\n  * [In Cluster](#in-cluster)\n\nWhat's in the included workflow pipelines:\n\n* `on-push` - PR qualification\n  * Static code vulnerability scan using [trivy](https://github.com/aquasecurity/trivy)\n  * Repo security alerts based on sarif reports CodeQL scans\n* `on-tag` Release (container image build)\n  * Image build/push using [ko](https://github.com/ko-build/ko) (includes SBOM generation)\n  * Image vulnerability scan using [trivy](https://github.com/aquasecurity/trivy) with max severity checks parameter\n  * Image signing and attestation using [cosign](https://github.com/sigstore/cosign)\n  * SLSA provenance generation using [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator)\n  * SLSA provenance verification using both, [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier), [CUE](https://cuelang.org/) policy using [cosign](https://github.com/sigstore/cosign)\n* `on-schedule` - Repo hygiene\n  * Semantic code analysis using CodeQL (every 4 hours)\n\n## Repo Usage \n\nUse this template to create a new repo (click the green button and follow the wizard)\n\n![](images/template.png)\n\nWhen done, clone your new repo locally, and navigate into it\n\n```shell\ngit clone git@github.com:$GIT_HUB_USERNAME/$REPO_NAME.git\ncd $REPO_NAME\n```\n\nInitialize your new repo. This will update all the references to your newly clone GitHub repository.\n\n```shell\ntools/init-repo\n```\n\nWhen completed, commit and push the updates to your repository: \n\n```shell\ngit add --all\ngit commit -m 'repo init'\ngit push --all\n```\n\n\u003e The above push will trigger the `on-push` flow. You can navigate to the `/actions` in your repo to see the status of that pipeline. \n\n![](images/push.png)\n\n### Trigger release pipeline\n\nThe canonical version of the entire repo is stored in [.version](.version) file. Feel free to edit it (by default: `v0.0.1`). When done, trigger the release pipeline:\n\n\u003e If you did edit the version, make sure to commit and push that change to the repo first. You can also use `make tag` to automate the entire process.\n\n```shell\nexport VERSION=$(cat .version)\ngit tag -s -m \"initial release\" $VERSION\ngit push origin $VERSION\n```\n\n### Monitor the pipeline \n\nNavigate to `/actions` in your repo to see the status of that release pipeline. Wait until all steps (aka jobs) have completed (green). \n\n\u003e If any steps fail, click on them to see the cause. Fix it, commit/push changes to the repo, and tag a new release to re-trigger the pipeline again.\n\n![](images/tag.png)\n\n### Review produced image\n\nWhen successfully completed, that pipeline will create an image. Navigate to the registry to confirm the image was created.\n\n\u003e This link will take you to the original template registry. Replace username and repo to navigate to yours.\n\nhttps://github.com/mchmarny/s3cme/pkgs/container/s3cme\n\n![](images/reglist.png)\n\nThe image is the line item tagged with version (e.g. `latest`). The other three OCI artifacts named with the image digest in the registry are:\n\n* `.sig` - cosign signature\n* `.att` - SLSA attestations\n* `.sbom` - SBOM (SPDX v2.3)\n\nYou can now take the image digest and query sigstore transparency service (Rekor). Easiest way to do that is to use the Chainguard's [rekor-search-ui](https://github.com/chainguard-dev/rekor-search-ui). Here is the entry for [s3cme v0.6.35](https://search.sigstore.dev/?hash=sha256:c85cdbb4cff81cd12f12af9cc7da4929f1b653a55896501e18755674739403fa).\n\n## Provenance Verification  \n\nWhenever you tag a release in the repo and an image is push to the registry, that image has an \"attached\" attestation in a form of [SLSA provenance (v0.2)](https://slsa.dev/provenance/v0.2). This allows you to trace that image all the way to its source in the repo (including the GitHub Actions that were used to generate it). That ability for verifiable traceability is called provenance. \n\n### Manual \n\nTo verify the SLSA build provenance of an image that was generated by the `on-tag` pipeline manually cosign:\n\n```shell\ncosign verify-attestation \\\n   --type slsaprovenance \\\n   --certificate-identity-regexp \"^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$\" \\\n   --certificate-oidc-issuer https://token.actions.githubusercontent.com \\\n   --policy policy/provenance.cue \\\n   $digest\n```\n\nThe terminal output will include the checks that were executed as part of the validation, as well as information about the subject (URI of the tag ref that triggered that workflow), with its SHA, name, and Ref.\n\n```shell\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - Existence of the claims in the transparency log was verified offline\n  - The code-signing certificate was verified using trusted certificate authority certificates\nCertificate subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.5.0\nCertificate issuer URL: https://token.actions.githubusercontent.com\nGitHub Workflow Trigger: push\nGitHub Workflow SHA: 5ed1e3b75214316fd5cd09e77b88f41c01ea85ec\nGitHub Workflow Name: on_tag\nGitHub Workflow Repository: mchmarny/s3cme\nGitHub Workflow Ref: refs/tags/v0.6.35\n```\n\nThe output will also include JSON, which looks something like this (`payload` abbreviated): \n\n```json\n{\n   \"payloadType\": \"application/vnd.in-toto+json\",\n   \"payload\": \"eyJfdHl...V19fQ==\",\n   \"signatures\": [\n      {\n         \"sig\": \"MEUCIQCl+9dSv9f9wqHTF9D6L1bizNJbrZwYz0oDtjQ1wiqmLwIgE1T1LpwVd5+lOnalkYzNftTup//6H9i6wKDoCNNhpeo=\"\n      }\n   ]\n}\n```\n\nThe `payload` field (abbreviated) is the base64 encoded [in-toto statement](https://in-toto.io/) containing the predicate containing the GitHub Actions provenance:\n\n```shell\n... | jq -r .payload | base64 -d | jq -r .\n```\n\nReturns:\n\n```json\n{\n    \"_type\": \"https://in-toto.io/Statement/v0.1\",\n    \"predicateType\": \"https://slsa.dev/provenance/v0.2\",\n    \"subject\": [\n        {\n            \"name\": \"ghcr.io/mchmarny/s3cme\",\n            \"digest\": {\n                \"sha256\": \"c85cdbb4cff81cd12f12af9cc7da4929f1b653a55896501e18755674739403fa\"\n            }\n        }\n    ],\n    \"predicate\": {...}\n}\n```\n\n### In Cluster\n\nYou can also verify the provenance of an image in your Kubernetes cluster.\n\n\u003e This assumes you already configured the sigstore admission controller in your Kubernetes cluster. If not, you can use the provided [tools/gke-cluster](tools/gke-cluster) script to create a cluster and configure sigstore policy-controller.\n\nFirst, review the [policy/cluster.yaml](policy/cluster.yaml) file, and make sure the glob pattern matches your Artifact Registry (`**` will match any character). You can make this as specific as you want (e.g. any image in the project in specific region)\n\n```yaml\nimages:\n- glob: ghcr.io/mchmarny/**\n```\n\nNext, check the subject portion of the issuer identity (in this case, the SLSA generator workflow for containers, with the repo tag)\n\n```yaml\nidentities:\n- issuer: https://token.actions.githubusercontent.com\n  subjectRegExp: \"^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$\"\n```\n\nFinally, the policy data that checks for `predicateType` on the image should include the content of the same policy ([policy/provenance.cue](policy/provenance.cue)) we've used during the SLSA verification using image release and in the above manual verification process. \n\n```yaml\npolicy:\n   type: cue\n   data: |\n     predicateType: \"https://slsa.dev/provenance/v0.2\"\n     ...\n```\n\n\u003e Make sure the content is indented correctly\n\nWhen finished, apply the policy into the cluster:\n\n```shell\nkubectl apply -f policy/slsa.yaml\n```\n\nTo verify SLSA provenance on any namespace in your cluster, add a sigstore inclusion label to that namespace (e.g. `demo`):\n\n```shell\nkubectl label ns demo policy.sigstore.dev/include=true\n```\n\nNow, you should see an error when deploying images that don't have SLSA attestation created by your release pipeline:\n\n```shell\nkubectl run test --image=nginxdemos/hello -n demo\n```\n\nWill result in:\n\n```shell\nadmission webhook \"policy.sigstore.dev\" denied the request: validation failed: no matching policies: spec.containers[0].image\nindex.docker.io/nginxdemos/hello@sha256:46bd594006f4bacc8a6c1cc2941ef842caf2358bc258619f7bea1558bc461b38\n```\n\nThat policy failed because the image URI doesn't match the images glob we've specified (`glob: ghcr.io/mchmarny/**`). How about if we try to deploy image that does, but does not have SLSA attestation:\n\n```shell\nkubectl run test -n demo --image ghcr.io/mchmarny/s3cme-no-slsa@sha256:0d8b8a9e3635545476b880612d5a058616d7ac378b79b67ad412e9a9c11e7e45\n```\n\nNow the failure is on the SLSA policy due to lack of verifiable attestations:\n\n```shell\nadmission webhook \"policy.sigstore.dev\" denied the request: validation failed: failed policy: slsa-attestation-image-policy: spec.containers[0].image\nghcr.io/mchmarny/s3cme@sha256:c85cdbb4cff81cd12f12af9cc7da4929f1b653a55896501e18755674739403fa attestation keyless validation failed for authority authority-0 for ghcr.io/mchmarny/s3cme@sha256:0d8b8a9e3635545476b880612d5a058616d7ac378b79b67ad412e9a9c11e7e45: no matching attestations:\n```\n\nFinally deploy image form the trusted registry and with SLSA attestation: \n\n```shell\nkubectl run test -n demo --image ghcr.io/mchmarny/s3cme@sha256:c85cdbb4cff81cd12f12af9cc7da4929f1b653a55896501e18755674739403fa\n```\n\nNow, the response is simple: \n\n```shell\npod/test created\n```\n\nThis demonstrates how the policy-controller admission controller enforces [SLSA provenance](https://slsa.dev/provenance/v0.2) policy in your cluster based on verifiable supply-chain metadata from [cosign](https://github.com/sigstore/cosign).\n\n## Disclaimer\n\nThis is my personal project and it does not represent my employer. While I do my best to ensure that everything works, I take no responsibility for issues caused by this code.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchmarny%2Fs3cme","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmchmarny%2Fs3cme","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchmarny%2Fs3cme/lists"}