"Validate" is a robust GitHub Action developed by Enterprise Contract, designed to assess container images for security and compliance. This action has two authentication methods: Long-Lived Public-Key Authentication and Keyless Authentication made possible by Enterprise Contract.
Keyless Authentication represents the highest level of Sigstore sophistication. Verification is based on the signer's identity, It's made possible by two essential parts:
- Certificate Identity: This identifier is crucial for verifying the image-associated certificate.
- Certificate OIDC Issuer: The OIDC issuer serves a vital role in validating the identity.
Keyless Authentication significantly enhances security, ensuring image authenticity. The verification process hinges on the signer's identity, providing an innovative solution for robust container image authentication.
The Long-Lived Public-Key Authentication method involves a comprehensive three-stage validation process:
-
Signature Verification: The action cryptographically verifies image signatures using the provided public key.
-
Attestation Verification: It ensures images possess valid and signed attestations, enriching details about image origin and attributes.
-
Policy Conformance Verification: This step aligns image attestations with pre-established policies, guaranteeing organizational standards compliance.
For more details:
To use this action, please configure the following environment variables in your workflow based on the desired authentication method.
The Long-Lived public-key method offers a straightforward way to integrate with Sigstore. Below are the variables needed:
| Name | Description | Example |
|---|---|---|
| Public Key | The public key for verifying signatures. | your_public_key_goes_here |
| Policy | The location of the policy.yaml config file to be used when running Enterprise Contract. A list of standard configs can be found at here. | github.com/enterprise-contract/config//slsa3 |
| Image | Image that is built. | quay.io/redhat-appstudio/ec-golden-image:latest |
This authentication approach is the most robust, as Sigstore authentication is based on the signer's identity rather than a key. The following variables are needed:
| Name | Description | Example |
|---|---|---|
| Identity | A regexp string used to match the certificate identity linked to the image. | https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|lcarva\/festoji)\/ |
| Issuer | OIDC issuer for validation purposes. | https://token.actions.githubusercontent.com |
| Image | Image to be verified. | quay.io/lucarval/festoji:latest |
Ensure to pick the right method for your needs and set up the variables accordingly.
The Enterprise Contract provides a variety of additional options that can seamlessly integrate into this action-validate-image. These extra-params are outlined in the official documentation, which can be found here. You have the freedom to incorporate as many as you need. Just simply add extra-params into your worflow.
extra-params: --ignore-rekor --debugIf you're eager to experience the benefits of the "Validate" action in your build process, follow these simple steps to get started. By copying and pasting either 'keyless' or 'long-lived' example below to your project's .github/workflows/ directory, you'll be on your way to enhancing your container image security and compliance.
Copy and Paste: Insert the example snippet below into your .github/workflows/ directory.
- Replace the Image with your image URL or file path within the
imageparameter. - Set up your key using GitHub vars, following recommended practices. Tutorial can be found here
- Choose a policy that aligns with your requirements and objectives. Policy's can be found here Public-Key Authentication)
name: example of action validate using long-lived
on:
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Run EC Validator
uses: enterprise-contract/action-validate-image@v1.0.18
with:
image: quay.io/konflux-ci/ec-golden-image:latest
key: ${{ vars.PUBLIC_KEY }}
policy: github.com/enterprise-contract/config//slsa3
extra-params: --ignore-rekorCopy and Paste: Insert the example snippet below into your .github/workflows/ directory.
- Replace the Image with your image URL or file path within the
imageparameter. - Provide your certificate's identity.
- Add your certificate's OIDC issuer details.
name: example of action validate using keyless
on:
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Run EC Validator
uses: enterprise-contract/action-validate-image@v1.0.18
with:
image: quay.io/lucarval/festoji:latest
identity: https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|lcarva\/festoji)\/
issuer: https://token.actions.githubusercontent.com