Extend the release action to sign the docker image and binary files with cosign (#781)

* Extend the release action to sign the docker image and binary files with cosign

* Fix lint warnings

* Fix the ling warnings

* Fix the lint warnings

Author: ccojocar

.github/workflows/release.yml

@@ -18,27 +18,57 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.17
-      - name : Get release version
-        id: get_version
-        run: echo ::set-env name=RELEASE_VERSION::$(echo ${GITHUB_REF:10})
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.5.2'
+      - name: Store Cosign private key in a file
+        run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
+        shell: bash
+        env:
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{secrets.DOCKER_USERNAME}}
+          password: ${{secrets.DOCKER_PASSWORD}}
       - name: Generate SBOM
         uses: CycloneDX/gh-gomod-generate-sbom@v1
         with:
           version: v1
           args: mod -licenses -json -output bom.json
+      - name: Docker meta
+        uses: docker/metadata-action@v3
+        id: meta
+        with:
+          images: securego/gosec
+          flavor: |
+            latest=true
+          tags: |
+            type=sha,format=long
+            type=semver,pattern={{version}}
       - name: Release Binaries
         uses: goreleaser/goreleaser-action@v2
         with:
           version: latest
           args: release --rm-dist
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
       - name: Release Docker Image
-        uses: elgohr/Publish-Docker-Github-Action@master
+        uses: docker/build-push-action@v2
         with:
-            name: securego/gosec
-            username: ${{ secrets.DOCKER_USERNAME }}
-            password: ${{ secrets.DOCKER_PASSWORD }}
-            buildargs: GO_VERSION=1.17
-            tags: "latest,${{ env.RELEASE_VERSION }}"
-            tag_names: true
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          tags: ${{steps.meta.outputs.tags}}
+          labels: ${{steps.meta.outputs.labels}}
+          push: true
+          build-args: GO_VERSION=1.17
+      - name: Sign Docker Image
+        run: cosign sign -key /tmp/cosign.key ${TAGS}
+        env:
+          TAGS: ${{steps.meta.outputs.tags}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}

.goreleaser.yml

@@ -9,7 +9,7 @@ release:
     name: gosec
 
 builds:
-  - main : ./cmd/gosec/
+  - main: ./cmd/gosec/
     binary: gosec
     goos:
       - darwin
@@ -21,3 +21,10 @@ builds:
     ldflags: -X main.Version={{.Version}} -X main.GitTag={{.Tag}} -X main.BuildDate={{.Date}}
     env:
       - CGO_ENABLED=0
+
+signs:
+- cmd: cosign
+  stdin: '{{ .Env.COSIGN_PASSWORD}}'
+  args: ["sign-blob", "--key=/tmp/cosign.key", "--output=${signature}", "${artifact}"]
+  artifacts: all
+

README.md

@@ -407,6 +407,19 @@ git push origin v1.0.0
 The GitHub [release workflow](.github/workflows/release.yml) triggers immediately after the tag is pushed upstream. This flow will
 release the binaries using the [goreleaser](https://goreleaser.com/actions/) action and then it will build and publish the docker image into Docker Hub.
 
+The released artifacts are signed using [cosign](https://docs.sigstore.dev/). You can use the public key from [cosign.pub](cosign.pub) 
+file to verify the signature of docker image and binaries files.
+
+The docker image signature can be verified with the following command:
+```
+cosign verify --key cosign.pub securego/gosec:<TAG>
+```
+ 
+The binary files signature can be verified with the following command:
+```
+cosign verify-blob --key cosign.pub --signature gosec_<VERSION>_darwin_amd64.tar.gz.sig  gosec_<VERSION>_darwin_amd64.tar.gz
+```
+
 ### Docker image
 
 You can also build locally the docker image by using the command:
@@ -450,4 +463,4 @@ This is a [list](USERS.md) with some of the gosec's users.
 
 Support this project by becoming a sponsor. Your logo will show up here with a link to your website
 
-<a href="https://github.com/mercedes-benz" target="_blank"><img src="https://avatars.githubusercontent.com/u/34240465?s=80&v=4"></a>
+<a href="https://github.com/mercedes-benz" target="_blank"><img src="https://avatars.githubusercontent.com/u/34240465?s=80&v=4"></a>

cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFphl7f2VuFRfsi4wqiLUCQ9xHQgV
+O2VMDNcvh+kxiymLXa+GkPzSKExFYIlVwfg13URvCiB+kFvITmLzuLiGQg==
+-----END PUBLIC KEY-----

report/html/writer.go

@@ -1,7 +1,6 @@
 package html
 
 import (
-
 	// use go embed to import template
 	_ "embed"
 	"html/template"

report/text/writer.go

@@ -3,9 +3,7 @@ package text
 import (
 	"bufio"
 	"bytes"
-
-	// use go embed to import template
-	_ "embed"
+	_ "embed" // use go embed to import template
 	"fmt"
 	"io"
 	"strconv"