kube-tarian / sigrun Goto Github PK

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.

Home Page: https://sigrun.dev

License: Apache License 2.0

Go 96.56% Dockerfile 1.07% Shell 2.20% Standard ML 0.17%

sigstore cosign rekor fulcio containers artifacts signature signature-verification kubernetes pods

sigrun's Introduction

SigRun

Sign your artifacts source code or container images using Sigstore chain of tools & Known Container Image Build tools, Save the Signatures you want to use within your Infra, and Validate & Control the deployments to allow only the known Signatures. Shift-left your supply chain security!

What's with the Name (in case if you are curious)? You can think of multiple ways. It has a flexible interpretation, like Signatures for Runtime or Runtime Signatures or Sign Software for Runtime use. Whatever you want to imagine! 😃

Install

Dependencies

Before installing the application the following dependencies need to be installed:

Kubernetes command line application kubectl
Golang version greater than 1.16

go install cmd/sigrun/sigrun.go

Usage

sigrun --help

Please refer to this for information about basic flow.

Purpose:

To make it easy to use SigStore chain of tools. Make the Supply Chain Security for Software adoption easy.

Usage feasibility:

Local, CI/CD pipelines, K8s Clusters, VMs.

Features:

Using Sigstore tools in your Infra for Air-Gap offline usage via your CI/CD Pipeline
Sign your artifacts, container images, files, packages, etc. automatically along with their sha256 digest creation & saving into ledger
Private & Public key-pair generator (Cosign, GPG, and more in future) for signing
Keyless signing
Save your artifacts signatures to certain ledger storage
Save your container image signatures to certain ledger storage
Validate Signatures using Storage location of Signatures
Control deployments to allow only known Signatures using our Custom Admission Controller or OPA/Kyverno/Gatekeeper
Vault Integration to save Keys if you prefer to save private key(s)
CI/CD Tools integration
Integration with tools like Buildpacks, Buildah, Source2Image, Kaniko, Skaffold, Docker Build, Podman, etc.
OIDC/Dex embeded for Login
Vulnerability Scanning of your container images
Integrate with Non-Profit SigStore public services/tools
Integrate with Syft for Software Bill of Materials (SBOM) [github.com/anchore/syft]
Integrate with Package Hunter by Gitlab [gitlab.com/gitlab-org/security-products/package-hunter]

Contributing

See docs/contributing.md

Code of Conduct

See CODE_OF_CONDUCT.md

CodeOwners & Maintainers list

See MAINTAINERS.md

sigrun's People

Contributors

Stargazers

Watchers

Forkers

syllogy srikrishnabh1 ducthinh993

sigrun's Issues

Remove unneeded base64 encoding from kubernetes objects and config signature

Implement list command according to spec

Implement configure command according to spec

Change chain number to uuid

Controller should not have admin permissions

Currently controller has admin permissions, please change this.

Update should be resistant to attacks where chain is altered

genesis file can be altered by hacker making chain have different guid

SigRun whole Documentation

Manage CLI state

Investigate popular methods of managing cli state

Add tests

Add support for annotations

Implement sigrun repo concept in code

change sigrun commit to sigrun chain-commit

Integrate dex for login

Give option to use combination of key-pair and keyless mode

Fix basic flow bugs

use timestamping service for sigrun ledger similar to rekor

use RFC 3161 timestamping service to save the timestamp format of RFC3161 timestamp as well along with the existing timestamp you are saving in sigrun ledger.
We can use those timestamps as well on the validation side policies in kyverno & OPA.

https://blog.sigstore.dev/its-ten-o-clock-do-you-know-where-your-private-keys-are-5c869cf53234

Implement remove command according to spec

Cache configmap in webhook

Implement init cluster command according to spec

rekor & ledger upload option in cli for the end user

Give a persistent configuration setting for the end user to set whether to use rekor server to upload transparency log or not (of course we still have to create sigrun ledger as usual, no change in that).

If the end user wants to ignore rekor log upload and only use our ledger file to upload to the custom git repo, this will be good user experience.

Should only allow maintainer to use sign and commit commands in keyless mode

Add metadata field to config file

Add error handling and logging to webhook

Revise config file

{
	"Organization": "devopstoday211",
	"Maintainers": "something",
	"sigrun-sign-id": "sdafasdf1213sas",
	"PublicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0zl9+NowQv3ILEqzVdxsBapesA0G\nWcFWdFQsSU4648ZDo17kh8z7g59VbHg0ABNttsYKPQmd7JjYbUXfqp+SAA==\n-----END PUBLIC KEY-----\n",
	"Images": [
		"docker.io/shravanss/sigrun-example"
	],
	"Signatures": [
		{
			"timestamp": "",
			"signed-by": "",
			"sign-mode": "",
			"commit-id": "",
			"signature":"",
			"signer": "[email protected]",
			"cert": "",
			"checksum": "",
			"iam": "github.com/azure.com/gmail.com/linkedin.com/gitlab.com/bitbucket/atlassian"
		},
		{

		}
	]
}