feat(lab8): implement image signing, attestations and blob verification with Cosign#1424
Open
d13-l1t3 wants to merge 20 commits into
Open
feat(lab8): implement image signing, attestations and blob verification with Cosign#1424d13-l1t3 wants to merge 20 commits into
d13-l1t3 wants to merge 20 commits into
Conversation
feat(lab9): falco custom rules + conftest hardening policies
Feature/lab2#980
Feature/lab1
Feature/lab3
feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready att…
feat(lab5): ZAP baseline + auth + Semgrep + correlation
feat(lab7): trivy + PSS restricted + conftest gate
feat(lab6): Checkov + KICS scans + custom policy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
To implement and validate software supply chain security practices using Sigstore
cosign. This includes signing Docker images to prevent tampering, attaching SBOM and SLSA Provenance attestations to verify the build process, and signing arbitrary blobs to mitigate attacks similar to the Codecov 2021 incident.Changes
juice-shop:v20.0.0image in a local registry (localhost:5000).cosign attest --type cyclonedx).cosign attest --type slsaprovenance).tar.gzarchive, and signed it usingcosign sign-blob.lab8.mdreport with terminal outputs and explanations regarding digest binding importance and the Codecov 2021 mitigation.Testing
alpine:3.20image asjuice-shop;cosign verifycorrectly failed and rejected the tampered image.cosign verify-attestationand confirmed it perfectly matches the original Lab 4 SBOM component count. Successfully verified the SLSA Provenance attestation..tar.gzbundle. Appended a malicious payload to the archive, which was successfully detected and blocked bycosign verify-blobwith an ASN.1 signature validation error.Artifacts & Screenshots
lab8.mdreport containing all required execution logs and theoretical answers.verify-original.jsonverify-tampered.txtsbom-from-attestation.jsonprovenance-verify.jsonblob-tamper.txtChecklist
lab8.mdexists