Skip to content

nais/salsa

Use this GitHub Action with your project

Add this Action to an existing workflow or create a new one.

View on Marketplace
main
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
cmd
 
 
pkg
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

nais SLSA Provenance Action

Salsa build & release Salsa integration Check pinned workflows
GitHub tag (latest by date) GitHub last commit GitHub license Go Report Card GitHub go.mod Go version (branch)

About

This is a Github Action for generating signed provenance about a build and its related artifacts. Provenance is an attestation (a "software bill of materials") about a software artifact or collection of artifacts, documenting how an artifact was produced - all in a common format.

Supply chain Levels for Software Artifacts, or SLSA (pronounced: salsa), is a security framework ( standards, guidelines etc.) to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.

The action implements the level 3 requirements of the SLSA Framework (as long as it is run in an ephemeral environment) producing a signed software attestation of your build and dependencies. The attestation is signed and uploaded to your container registry using cosign and can be verified by the salsa cli (also provided in this repo) or using the cosign verify-attestation command.

Disclaimer: This is not an official GitHub Action maintained by the SLSA team. It is created by the nais.io team for the purpose of securing supply chains in NAV. However we encourage other organizations/users to use it and even contribute as it is built with open source in mind.

Built with

Formats/Standards implemented

Materials

This actions creates attestations with materials based on both runtime and transitive dependencies, using a supported build tool.

Supported build tools

Getting started

How to use

Requirements

  • Currently we only support signing keys from a KMS provider - see cosign documentation for more details. Your workflow must set up an explicit authentication step for your KMS provider before the nais salsa action.

  • actions/checkout is required prior to using this action as nais salsa must have access to your build manifest to digest over dependencies.

Key Management

The salsa action use cosign and KMS for signing and verifying the attestation. Cosign supports all the standard key management systems. If your project requires other providers please feel free to submit an issue or pull request.

Setup

KMS with cosign requires some setup at you provider. In short for Google KMS:

  1. KMS is enabled in your Google project
    1. create a keyring
      1. create keys: Elliptic Curve P-256 key SHA256 Digest
  2. Service accounnt in project has roles:
    1. Cloud KMS CryptoKey signer/verifier
    2. Cloud KMS viewer Role
  3. Configure Github actions secret containing the serviceuser
  4. Configure with.key with the right URI format for Google: gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION
Other KMS providers

It is possible to use other KMS providers, see the cosign KMS documentation for more information about provider setup and key URI formats.

Example

Workflows

name: ci

on:
  push:
    branches:
      - 'main'

env:
  IMAGE: ttl.sh/nais/salsa-test:1h
  KEY: gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION

jobs:
  provenance:
    runs-on: ubuntu-20.04
    steps:

      - name: Checkout Code
        uses: actions/checkout@v3

      - name: Build and push
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: ${{ env.IMAGE }}

      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v0
        with:
          credentials_json: ${{ secrets.GCP_CREDENTIALS }}

      - name: Provenance, upload and sign attestation
        uses: nais/salsa@v0.1
        with:
          key: ${{ env.KEY }}
          docker_pwd: ${{ secrets.GITHUB_TOKEN }}

Customizing

inputs

Github context

The github context contains information about the workflow run and the event that triggered the run. By default, this action uses the Github context.

Runner Context

The runner context contains information about the runner that is executing the current job. By default, this action uses the Runner context.

The Following inputs can be used as step.with keys

Name Type Default Description Required
key String "" Private key (cosign.key) or kms provider, used for signing the attestation True
docker_pwd String "" Password for docker True
image String $IMAGE The container image to create a attestation for False
docker_user String github.actor User to login to container registry False
repo_name String github.repository The name of the repo/project False
repo_sub_dir String "" Specify a subdirectory if build file not found in working root directory False
dependencies Bool true Set to false if action should not create materials for dependencies (e.g. if build tool is unsupported or repo uses internal/private dependencies) False
repo_dir String $GITHUB_WORKSPACE Internal value (do not set): Root of directory to look for build files False
github_context String ${{ toJSON(github) }} Internal value (do not set): the github context object in json False
runner_context String ${{ toJSON(runner) }} Internal value (do not set): the runner context object in json False

Release

Checksums

We generate a checksums.txt file and upload it with the release, so users can validate if the downloaded files are correct. All files are by default digested with algorithm sha256.

Verify signature

The release artifacts are signed with cosign and can be verified by using the public signing key.

cosign verify-blob --key cosign.pub --signature salsa.tar.gz.sig salsa.tar.gz

Verified OK