diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 56b0848..63d812b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,27 +18,57 @@ jobs:
uses: actions/setup-go@v2
with:
go-version: 1.17
- - name : Get release version
- id: get_version
- run: echo ::set-env name=RELEASE_VERSION::$(echo ${GITHUB_REF:10})
+ - name: Install Cosign
+ uses: sigstore/cosign-installer@main
+ with:
+ cosign-release: 'v1.5.2'
+ - name: Store Cosign private key in a file
+ run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
+ shell: bash
+ env:
+ COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v1
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v1
+ - name: Login to DockerHub
+ uses: docker/login-action@v1
+ with:
+ username: ${{secrets.DOCKER_USERNAME}}
+ password: ${{secrets.DOCKER_PASSWORD}}
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@v1
with:
version: v1
args: mod -licenses -json -output bom.json
+ - name: Docker meta
+ uses: docker/metadata-action@v3
+ id: meta
+ with:
+ images: securego/gosec
+ flavor: |
+ latest=true
+ tags: |
+ type=sha,format=long
+ type=semver,pattern={{version}}
- name: Release Binaries
uses: goreleaser/goreleaser-action@v2
with:
version: latest
args: release --rm-dist
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+ COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
- name: Release Docker Image
- uses: elgohr/Publish-Docker-Github-Action@master
+ uses: docker/build-push-action@v2
with:
- name: securego/gosec
- username: ${{ secrets.DOCKER_USERNAME }}
- password: ${{ secrets.DOCKER_PASSWORD }}
- buildargs: GO_VERSION=1.17
- tags: "latest,${{ env.RELEASE_VERSION }}"
- tag_names: true
+ platforms: linux/amd64,linux/arm/v7,linux/arm64
+ tags: ${{steps.meta.outputs.tags}}
+ labels: ${{steps.meta.outputs.labels}}
+ push: true
+ build-args: GO_VERSION=1.17
+ - name: Sign Docker Image
+ run: cosign sign -key /tmp/cosign.key ${TAGS}
+ env:
+ TAGS: ${{steps.meta.outputs.tags}}
+ COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 300f4b4..539be56 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -9,7 +9,7 @@ release:
name: gosec
builds:
- - main : ./cmd/gosec/
+ - main: ./cmd/gosec/
binary: gosec
goos:
- darwin
@@ -21,3 +21,10 @@ builds:
ldflags: -X main.Version={{.Version}} -X main.GitTag={{.Tag}} -X main.BuildDate={{.Date}}
env:
- CGO_ENABLED=0
+
+signs:
+- cmd: cosign
+ stdin: '{{ .Env.COSIGN_PASSWORD}}'
+ args: ["sign-blob", "--key=/tmp/cosign.key", "--output=${signature}", "${artifact}"]
+ artifacts: all
+
diff --git a/README.md b/README.md
index 49b7408..772e124 100644
--- a/README.md
+++ b/README.md
@@ -407,6 +407,19 @@ git push origin v1.0.0
The GitHub [release workflow](.github/workflows/release.yml) triggers immediately after the tag is pushed upstream. This flow will
release the binaries using the [goreleaser](https://goreleaser.com/actions/) action and then it will build and publish the docker image into Docker Hub.
+The released artifacts are signed using [cosign](https://docs.sigstore.dev/). You can use the public key from [cosign.pub](cosign.pub)
+file to verify the signature of docker image and binaries files.
+
+The docker image signature can be verified with the following command:
+```
+cosign verify --key cosign.pub securego/gosec:<TAG>
+```
+
+The binary files signature can be verified with the following command:
+```
+cosign verify-blob --key cosign.pub --signature gosec_<VERSION>_darwin_amd64.tar.gz.sig gosec_<VERSION>_darwin_amd64.tar.gz
+```
+
### Docker image
You can also build locally the docker image by using the command:
@@ -450,4 +463,4 @@ This is a [list](USERS.md) with some of the gosec's users.
Support this project by becoming a sponsor. Your logo will show up here with a link to your website
-<a href="https://github.com/mercedes-benz" target="_blank"><img src="https://avatars.githubusercontent.com/u/34240465?s=80&v=4"></a>
\ No newline at end of file
+<a href="https://github.com/mercedes-benz" target="_blank"><img src="https://avatars.githubusercontent.com/u/34240465?s=80&v=4"></a>
diff --git a/cosign.pub b/cosign.pub
new file mode 100644
index 0000000..c6fd559
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFphl7f2VuFRfsi4wqiLUCQ9xHQgV
+O2VMDNcvh+kxiymLXa+GkPzSKExFYIlVwfg13URvCiB+kFvITmLzuLiGQg==
+-----END PUBLIC KEY-----
diff --git a/report/html/writer.go b/report/html/writer.go
index 36b2f94..125b7cd 100644
--- a/report/html/writer.go
+++ b/report/html/writer.go
@@ -1,7 +1,6 @@
package html
import (
-
// use go embed to import template
_ "embed"
"html/template"
diff --git a/report/text/writer.go b/report/text/writer.go
index 08698ea..2ea8d7c 100644
--- a/report/text/writer.go
+++ b/report/text/writer.go
@@ -3,9 +3,7 @@ package text
import (
"bufio"
"bytes"
-
- // use go embed to import template
- _ "embed"
+ _ "embed" // use go embed to import template
"fmt"
"io"
"strconv"