Skip to main content

Travis CI

Use the following instructions to integrate your Travis CI pipelines with Scribe.

1. Obtain a Scribe Hub API Token

  1. Sign in to Scribe Hub. If you don't have an account you can sign up for free here.

  2. Create a API token in Scribe Hub > Settings > Tokens. Copy it to a safe temporary notepad until you complete the integration.

Important

The token is a secret and will not be accessible from the UI after you finalize the token generation.

2. Add the API token to the Travis CI secrets

Add the Scribe Hub API token as SCRIBE_TOKEN to your environment by following the Travis CI setting up environment variables instructions

3. Install Scribe CLI

Valint (Scribe CLI) is required to generate evidence in such as SBOMs and SLSA provenance. Install Valint on your build runner with the following command

sh 'curl -sSfL https://get.scribesecurity.com/install.sh | sh -s -- -b ./temp/bin'

Alternatively, add an instalation stage at the beginning of your relevant builds as follows:

install:
- mkdir ./bin
- curl -sSfL https://get.scribesecurity.com/install.sh| sh -s -- -b $PWD/bin
- export PATH=$PATH:$PWD/bin/

4. Instrument your build scripts

Usage

install:
- mkdir ./bin
- curl -sSfL https://get.scribesecurity.com/install.sh| sh -s -- -b $PWD/bin
- export PATH=$PATH:$PWD/bin/


name: "scribe-travis-job"

script:
- |
valint [bom,slsa,evidence] [target] \
--format [attest, statement] \
--context-type travis \
--output-directory ./scribe/valint \
-P $SCRIBE_TOKEN


- |
valint verify [target] \
--format [attest, statement, attest-slsa, statement-slsa, attest-generic, statement-generic] \
--context-type travis \
--output-directory ./scribe/valint \
-P $SCRIBE_TOKEN

Make sure that your Travis project has a file named .travis-ci.yml to add the following examples to:

Basic example

jobs:
include:
- name: 'bom-targets'
git:
depth: false
install:
- mkdir ./bin
- curl -sSfL https://get.scribesecurity.com/install.sh| sh -s -- -b $PWD/bin
- export PATH=$PATH:$PWD/bin/
env: test_env=test_env_value
script:
- |
valint bom busybox:latest \
--context-type travis \
--output-directory ./scribe/valint \
-f

Additional examples

Generate an SBOM for an image in a public registry
- |
valint bom busybox:latest \
--context-type travis \
--output-directory ./scribe/valint \
-f
Generate SLSA provenance for an image in a public registry
- |
valint slsa busybox:latest \
--context-type travis \
--output-directory ./scribe/valint \
-f
Generate an SBOM for for an image built with local docker
- |
valint bom image_name:latest \
--context-type travis \
--output-directory ./scribe/valint \
-f
Generate SLSA provenance for for an image built with local docker
- |
valint slsa image_name:latest \
--context-type travis \
--output-directory ./scribe/valint \
-f
Generate an SBOM for an image in a private registry

Add a docker login task before the adding the following step:

- |
valint bom scribesecurity.jfrog.io/scribe-docker-local/example:latest \
--context-type travis \
--output-directory ./scribe/valint \
-f
Generate SLSA provenance for an image in a private registry

Add a docker login task before the adding the following step:

- |
valint slsa scribesecurity.jfrog.io/scribe-docker-local/example:latest \
--context-type travis \
--output-directory ./scribe/valint \
-f
Add custom metadata to SBOM
- name: 'bom-targets'
env: test_env=test_env_value
script:
- |
valint bom busybox:latest \
--context-type travis \
--output-directory ./scribe/valint \
--env test_env --label test_label \
-f
Add custom metadata to SLSA provenance
- name: 'slsa-targets'
env: test_env=test_env_value
script:
- |
valint slsa busybox:latest \
--context-type travis \
--output-directory ./scribe/valint \
--env test_env --label test_label \
-f
Details

Export SBOM as an artifact Using command output-directory or output-file to export evidence as an artifact.

Use format input argumnet to set the format and add the following environment variables in the repository settings:

ARTIFACTS_KEY=(AWS access key id)
ARTIFACTS_SECRET=(AWS secret access key)
ARTIFACTS_BUCKET=(S3 bucket name)

For more details see Artifact documentation.

- name: 'save-artifact'
git:
depth: false

install:
- mkdir ./bin
- curl -sSfL https://get.scribesecurity.com/install.sh| sh -s -- -b $PWD/bin
- export PATH=$PATH:$PWD/bin/

script:

- |
valint bom busybox:latest \
--context-type travis \
--output-directory ./scribe/valint \
--output-file ./my_sbom.json \
-f

addons:

artifacts:
paths:
- ./scribe/valint
- ./my_sbom.json
Export SLSA provenance as an artifact

Use format input argumnet to set the format and add the following environment variables in the repository settings:

ARTIFACTS_KEY=(AWS access key id)
ARTIFACTS_SECRET=(AWS secret access key)
ARTIFACTS_BUCKET=(S3 bucket name)

For more details see Artifact documentation

- name: 'save-artifact'
git:
depth: false

install:
- mkdir ./bin
- curl -sSfL https://get.scribesecurity.com/install.sh| sh -s -- -b $PWD/bin
- export PATH=$PATH:$PWD/bin/

script:

- |
valint slsa busybox:latest \
--context-type travis \
--output-directory ./scribe/valint \
--output-file ./my_slsa.json \
-f

addons:

artifacts:
paths:
- ./scribe/valint
- ./my_slsa.json
Generate an SBOM of a local file directory
- |
mkdir testdir
echo "test" > testdir/test.txt

- |
valint bom dir:testdir \
--context-type travis \
--output-directory ./scribe/valint \
-f
Generate SLSA provenance of a local file directory
- |
mkdir testdir
echo "test" > testdir/test.txt

- |
valint slsa dir:testdir \
--context-type travis \
--output-directory ./scribe/valint \
-f
Generate an SBOM of a git repo

For a remote git repo:

- |
valint bom git:https://github.com/mongo-express/mongo-express.git \
--context-type travis \
--output-directory ./scribe/valint \
-f

For a local git repo:

Note If you use implicit checkout, git-strategy affects the commits collected into the SBOM.

- |
valint bom git:. \
--context-type travis \
--output-directory ./scribe/valint \
-f
Generate SLSA provenance of a git reop

For a remote git repo:

- |
valint slsa git:https://github.com/mongo-express/mongo-express.git \
--context-type travis \
--output-directory ./scribe/valint \
-f

For a local git repo:

Note If you use implicit checkout, git-strategy affects the commits collected.

- |
valint slsa git:. \
--context-type travis \
--output-directory ./scribe/valint \
-f
Generate and verify an SBOM statement for an image
# Generate CycloneDX SBOM statement
- |
valint bom busybox:latest \
-o statement \
--context-type travis \
--output-directory ./scribe/valint \
-f


# Verify CycloneDX SBOM statement
- |
valint verify busybox:latest \
-i statement \
--context-type travis \
--output-directory ./scribe/valint
Generate and verify SLSA provenance statement for an image
# Generate SLSA provenance
- |
valint slsa busybox:latest \
-o statement \
--context-type travis \
--output-directory ./scribe/valint \
-f

# Verify SLSA Provenance statement
- |
valint verify busybox:latest \
-i statement-slsa \
--context-type travis \
--output-directory ./scribe/valint
Generate and verify an SBOM statement for a file directory
- |
mkdir testdir
echo "test" > testdir/test.txt

# Generate CycloneDX SBOM statement
- |
valint bom dir:testdir \
-o statement \
--context-type travis \
--output-directory ./scribe/valint \
-f

# Verify CycloneDX SBOM statement
- |
valint verify dir:testdir \
-i statement \
--context-type travis \
--output-directory ./scribe/valint
Generate and verify SLSA provenance statement for a file directory
- |
mkdir testdir
echo "test" > testdir/test.txt

# Generate SLSA provenance statement
- |
valint slsa dir:testdir \
-o statement-slsa \
--context-type travis \
--output-directory ./scribe/valint \
-f

# Verify CycloneDX SBOM statement
- |
valint verify dir:testdir \
-i statement-slsa \
--context-type travis \
--output-directory ./scribe/valint
Generate and verify an SBOM statement for a git repo

For remote git repo target https://github.com/mongo-express/mongo-express.git:

- |
valint bom git:https://github.com/mongo-express/mongo-express.git \
-o statement \
--context-type travis \
--output-directory ./scribe/valint \
-f


- |
valint verify git:https://github.com/mongo-express/mongo-express.git \
-i statement \
--context-type travis \
--output-directory ./scribe/valint

For a local repo:

- |
valint bom git:. \
-o statement \
--context-type travis \
--output-directory ./scribe/valint \
-f


- |
valint verify git:. \
-i statement \
--context-type travis \
--output-directory ./scribe/valint
Generate and verify SLSA provenance statement for a git repo

For remote git repo target https://github.com/mongo-express/mongo-express.git:

- |
valint slsa git:https://github.com/mongo-express/mongo-express.git \
-o statement \
--context-type travis \
--output-directory ./scribe/valint \
-f


- |
valint verify git:https://github.com/mongo-express/mongo-express.git \
-i statement-slsa \
--context-type travis \
--output-directory ./scribe/valint

For a local repo:

- |
valint slsa git:. \
-o statement \
--context-type travis \
--output-directory ./scribe/valint \
-f


- |
valint verify git:. \
-i statement-slsa \
--context-type travis \
--output-directory ./scribe/valint