Ensure GitHub Actions artifact build has cosign - sign execution in pipeline

Error: GitHub Actions artifact build do not have cosign - sign execution in pipeline
Bridgecrew Policy ID: BC_REPO_GITHUB_ACTION_5
Checkov Check ID: CKV_GHA_5
Severity: LOW

GitHub Actions artifact build do not have cosign - sign execution in pipeline

Cosign can be used to sign pipeline artifacts, such as container images, to ensure their integrity and prevent tampering prior to and after deployment. Violating this policy means a signable artifact was discovered but there is no evidence of signing that artifact in your pipeline.

Example Fix

Add cosign sign to sign artifacts. There are many ways to do this as a job or step in a GitHub Actions pipeline. Below is one example for signing a container image.

+ run: cosign sign --key env://COSIGN_PRIVATE_KEY -a sha=${{ github.sha }} -a run_id=${{ github.run_id }} ${{ env.IMAGE }}