Ensure GitHub Actions artifact build has SBOM attestation in pipeline
Error: GitHub Actions artifact build do not have SBOM attestation in pipeline
Bridgecrew Policy ID: BC_REPO_GITHUB_ACTION_6
Checkov Check ID: CKV_GHA_6
Severity: LOW
GitHub Actions artifact build do not have SBOM attestation in pipeline
Cosign can be used to sign pipeline artifacts to ensure their integrity and prevent tampering prior to and after deployment. Signing SBOMs ensures that no changes were made to an application between the code and deploy phases.
Example Fix
Add cosign sign
to sign SBOMs. There are many ways to do this as a job or step in a GitHub Actions pipeline. Below is one example for signing an SBOM.
+ run: cosign attest --predicate sbom.json --type https://cyclonedx.org/bom --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE }}
OR
+ run: cosign sign --key cosign.key container:sha256-1234.sbom
Updated 10 months ago