Scribe GitHub Action for `valint verify`
Scribe offers GitHub Actions for embedding evidence collecting and validated integrity of your supply chain.
Use valint verify
to verify evidence (attestations) and policies.
Further documentation GitHub integration.
Verify Action
The command allows users to verify any target against its evidence.
- Verify image, directory, file or git targets.
- Verify evidence policy compliance across the supply chain.
- Pull evidence from scribe service.
- Download and search evidence in all enabled stores.
- Support Sigstore keyless verifying as well as GitHub workload identity.
Input arguments
target:
description: Target object name format=[<image:tag>, <dir path>, <git url>] (Optional)
required: true
attest-config:
description: Attestation config path
attest-default:
description: Attestation default config, options=[sigstore sigstore-github x509 x509-env kms pubkey]
attestation:
description: Attestation for target
base-image:
description: Base image for the target
bom:
description: Create target SBOM evidence
bundle:
description: Policy bundle uri/path (early-availability)
bundle-auth:
description: 'Bundle repository authentication info, [format: ''username:password'']'
bundle-branch:
description: Bundle branch in the repository
bundle-commit:
description: Bundle commit hash in the repository
bundle-depth:
description: Bundle clone depth
bundle-tag:
description: Bundle tag in the repository
ca:
description: x509 CA Chain path
cert:
description: x509 Cert path
common-name:
description: Default policy allowed common names
crl:
description: x509 CRL path
crl-full-chain:
description: Enable Full chain CRL verfication
depth:
description: Git clone depth
disable-crl:
description: Disable certificate revocation verificatoin
email:
description: Default policy allowed emails
force:
description: Force skip cache
format:
description: Policy Result Evidence format, options=[statement-sarif attest-sarif sarif ]
git-auth:
description: 'Git repository authentication info, [format: ''username:password'']'
git-branch:
description: Git branch in the repository
git-commit:
description: Git commit hash in the repository
git-tag:
description: Git tag in the repository
initiative:
description: Run only rules with specified initiative
input-format:
description: Input Evidence format, options=[attest-cyclonedx-json attest-slsa statement-slsa statement-cyclonedx-json statement-generic attest-generic ]
key:
description: x509 Private key path
kms:
description: Provide KMS key reference
oci:
description: Enable OCI store
oci-repo:
description: Select OCI custom attestation repo
pass:
description: Private key password
payload:
description: path of the decoded payload
platform:
description: Select target platform, examples=windows/armv6, arm64 ..)
policy:
description: Policy configuration file path (early-availability)
provenance:
description: Create target SLSA Provenance evidence
pubkey:
description: Public key path
public-key:
description: Public key path
rule:
description: Rule configuration file path (early-availability)
rule-args:
description: Policy arguments
rule-label:
description: Run only rules with specified label
skip-bundle:
description: Skip bundle download
skip-report:
description: Skip Policy report stage
uri:
description: Default policy allowed uris
cache-enable:
description: Enable local cache
config:
description: Configuration file path
deliverable:
description: Mark as deliverable, options=[true, false]
env:
description: Environment keys to include in evidence
gate:
description: Policy Gate name
input:
description: Input Evidence target, format (\<parser>:\<file> or \<scheme>:\<name>:\<tag>)
label:
description: Add Custom labels
level:
description: Log depth level, options=[panic fatal error warning info debug trace]
log-context:
description: Attach context to all logs
log-file:
description: Output log to file
output-directory:
description: Output directory path
default: ./scribe/valint
output-file:
description: Output file name
pipeline-name:
description: Pipeline name
predicate-type:
description: Custom Predicate type (generic evidence format)
product-key:
description: Product Key
product-version:
description: Product Version
scribe-client-id:
description: Scribe Client ID (deprecated)
scribe-client-secret:
description: Scribe Client Token
scribe-disable:
description: Disable scribe client
scribe-enable:
description: Enable scribe client (deprecated)
scribe-url:
description: Scribe API Url
structured:
description: Enable structured logger
timeout:
description: Timeout duration
verbose:
description: Log verbosity level [-v,--verbose=1] = info, [-vv,--verbose=2] = debug
Usage
Containerized action can be used on Linux runners as following
- name: valint verify
id: valint_verify
uses: scribe-security/action-verify@v1.5.18
with:
target: 'busybox:latest'
Composite Action can be used on Linux or Windows runners as following
- name: Generate cyclonedx json SBOM
uses: scribe-security/action-verify-cli@v1.5.18
with:
target: 'hello-world:latest'
Use
master
instead of tag to automatically pull latest version.
1. Obtain a Scribe Hub API Token
-
Sign in to Scribe Hub. If you don't have an account you can sign up for free here.
-
Create a API token in Scribe Hub > Settings > Tokens. Copy it to a safe temporary notepad until you complete the integration.
The token is a secret and will not be accessible from the UI after you finalize the token generation.
2. Add the API token to GitLab secrets
Set your Scribe Hub API token in Github with a key named SCRIBE_TOKEN as instructed in *GitHub instructions](https://docs.github.com/en/actions/security-guides/encrypted-secrets/ "GitHub Instructions")
3. Instrument your build scripts
Usage
name: scribe_github_workflow
on:
push:
tags:
- "*"
jobs:
scribe-sign-verify
runs-on: ubuntu-latest
steps:
# - uses: scribe-security/action-evidence@master
# - uses: scribe-security/action-slsa@master
- uses: scribe-security/action-bom@master
with:
target: [target]
format: [attest, statement]
scribe-client-secret: ${{ secrets.SCRIBE_TOKEN }}
- uses: scribe-security/action-verify@master
with:
target: [target]
input-format: [attest, statement, attest-slsa, statement-slsa, attest-generic, statement-generic]
scribe-client-secret: ${{ secrets.SCRIBE_TOKEN }}