Skip to content

Instantly share code, notes, and snippets.

@knabben

knabben/sigstore.md

Last active February 20, 2024 16:01
Show Gist options
  • Save knabben/13d464c34e8f8d0e195a76218bbb0e16 to your computer and use it in GitHub Desktop.
Save knabben/13d464c34e8f8d0e195a76218bbb0e16 to your computer and use it in GitHub Desktop.
Download ZIP
Cosign and CVE policy control
Raw
sigstore.md

1. check.cue - CUE policy file

import "encoding/json"
import "strings"
import "list"

#Predicate: {
  Data: string
  Timestamp: string
}

#Vulnerability: {
    id: "CVE-2023-6931"
    ...
}

predicate: {
  vulnerabilities: [...]
  result: list.Contains(result.vulnerabilities, #Vulnerability)
}

predicate: result: list.MaxItems(0)

2. result.json - Generated with Trivy CycloneDX + Vulnerability

$ trivy image --format cyclonedx --output result.json --scanners vuln

{
  ...
  "vulnerabilities": [
    {
      "id": "CVE-2023-6931",
      "source": {
        "name": "ubuntu",
        "url": "https://git.launchpad.net/ubuntu-cve-tracker"
      }
   ]
}

3. Siging the image with cosign and in-toto - predicate

cosign attest --predicate result.json --type cyclonedx ttl.sh/knabben/n3tshoot@sha256:869e0db58ed617fcffc1392548d3ccacad876e4589337b2b5ae18568ed8c2fbb

4. policy.yaml - Creating the ClusterImagePolicy with CUE embedded

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: custom-key-attestation-sbom-spdxjson
spec:
  images:
  - glob: "**"
  authorities:
  - keyless:
      identities:
      - issuer: https://accounts.google.com
        subject: amim.knabben@gmail.com
    attestations:
    - name: musthave
      predicateType: "https://cyclonedx.org/bom"
      policy:
        type: cue
        data: |
          import "encoding/json"
          import "strings"
          import "list"

          #Predicate: {
            Data: string
            Timestamp: string
          }

          cveList: [ "CVE-2023-6937", "CVE-2023-6939" ]

          predicate: {
            vulnerabilities: [...]
            result: [ for v in vulnerabilities if list.Contains(cveList, v.id) {v.id} ]
            ...
          }

          predicate: result: list.MaxItems(0)

5. Testing the sign with policy-tester

./policy-tester -image ttl.sh/knabben/n3tshoot@sha256:869e0db58ed617fcffc1392548d3ccacad876e4589337b2b5ae18568ed8c2fbb -policy policy.yaml

@knabben
Copy link
Author

knabben commented Feb 20, 2024

Error raised missing information of the CVE matching -- can be improved with the CVE found string:

{"errors":["failed evaluating cue policy for musthave: failed to evaluate the policy with error: predicate.result: invalid value [{v.id}] (does not satisfy list.MaxItems(0)): len(list) \u003e MaxItems(0) (1 \u003e 0) (and 1 more errors): "]}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment