A reusable Github Action workflow that:
- Builds a container image
- Scans it with
Trivy - Pushes it to ECR
- Signs it with
cosign - Computes its SBOM with
Syft - Attaches the SBOM to it via
cosign
graph TD;
start --> install
subgraph build
install([Setup cosign and buildx]) --> pr{Is PR?}
pr --> |Yes| local[/Build image locally/]
local --> trivy[/Run Trivy/]
trivy --> show[/Show build and scan output\]
pr --> |No| authenticate([Authenticate to AWS via OIDC])
authenticate --> login([Login to ECR])
login --> buildx[/Build and push container image/]
buildx --> signx[/Sign the image with cosign/]
end
subgraph sbom
install2([Setup cosign and syft]) --> authenticate2([Authenticate to AWS via OIDC])
authenticate2 --> login2([Login to ECR])
login2 --> compute[/Compute SBOM with Syft/]
compute --> attach[/Attach SBOM to image with cosign/]
end
signx --> install2
attach --> finish
- Setup OIDC between Github and AWS
You can use my Identity Federation for CI on AWS Terraform module to automate the setup of OIDC federation between AWS and Github Actions/Gitlab CI
- Make a copy of the reusable workflow:
reusable-docker.yml - Call the reusable workflow as shown in the
sample:
...
uses: marco-lancini/utils/ci/github/docker-build-sign-sbom/reusable-docker.yml@main
with:
FOLDER: 'path/to/dockerfile/folder'
AWS_ACCOUNT_NAME: ''
AWS_ACCOUNT_ID: ''
AWS_REGION: ''
AWS_ROLE: ''
REGISTRY: <id>.dkr.ecr.<region>.amazonaws.com
IMAGE_NAME: sample-app