Ensure GitHub Actions artifact build has SBOM attestation in pipeline

Error: GitHub Actions artifact build do not have SBOM attestation in pipeline
Bridgecrew Policy ID: BC_REPO_GITHUB_ACTION_6
Checkov Check ID: CKV_GHA_6
Severity: LOW

GitHub Actions artifact build do not have SBOM attestation in pipeline

Cosign can be used to sign pipeline artifacts to ensure their integrity and prevent tampering prior to and after deployment. Signing SBOMs ensures that no changes were made to an application between the code and deploy phases.

Example Fix

Add cosign sign to sign SBOMs. There are many ways to do this as a job or step in a GitHub Actions pipeline. Below is one example for signing an SBOM.

+ run: cosign attest --predicate sbom.json --type https://cyclonedx.org/bom --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE }}

OR

+ run: cosign sign --key cosign.key container:sha256-1234.sbom