otel-sig-security-example-go

Example of a Go project following SIG Security's recommendations

APACHE-2.0 License

Stars
2
View Code on GitHub View on X
Ecosystems: Go

otel-sig-security-example-go

Example of a Go project following SIG Security's recommendations

What's in here

  • GitHub Actions creating attestations during the release phase
  • CodeQL, for static analysis

Optionally, we have examples of the following, which are NOT official recommendations at this point:

  • Pinning of versions for GitHub Actions, updated weekly by Renovate

How to verify attestations

Attestations are created as part of the release and send metadata about the build (provenance) that was used to generate that artifact. An SHA-256 checksum is used as the key for that, so that users can use a checksum of a local artifact to obtain information about the origins of that artifact.

We list here two possible ways to verify the provenance of our deliverables: a binary, and a container image.

Using GitHub CLI

Verifying the binary using GitHub CLI tool (gh):

gh attestation verify otel-sig-security-example-go_0.0.3_linux_amd64.tar.gz --owner jpkrohling

Verifying the container image using gh:

gh attestation verify oci://ghcr.io/jpkrohling/otel-sig-security-example-go:0.0.3 --owner jpkrohling

Note: jpkrohling refers to the organization, and would be open-telemetry on our actual repositories.

Sigstore's Transparency logs

The transparency logs can be queried here: Sigstore's Transparency Logs

Verifying the binary:

  • Get the sha256sum for the file: sha256sum otel-sig-security-example-go_0.0.3_linux_amd64.tar.gz
  • Open the transparency logs and get the attestation for the resulting SHA256 sum by using a query like this: sha256:0d1d5c2255d7420e2561543cf74acdd98e6800f034a64bd771f6f83d2588ca26
  • It should yield one result, with details about the process that generated that binary: Transparency Log Entry for SHA256

Verifying the container image:

  • Pull the image: docker pull ghcr.io/jpkrohling/otel-sig-security-example-go:0.0.3
  • Obtain the checksum for the image: docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/jpkrohling/otel-sig-security-example-go:0.0.3
  • As with the binary, use the checksum to query the transparency logs: Transparency Log Entry for Image SHA256
Package Rankings
Top 6.47% on Proxy.golang.org
Related Projects
java-nodejs-python-go-etc-docker

The image is based on the official debian:stable-date-slim image, and the main modules are instal...

10 Apr 2020 3
estaleiro

building container images with bill of materials

12 Jul 2019 2
slsa-go

01 Mar 2022 0
container-image-sign-and-verify-with-cosign-and-opa

This is just a proof-of-concept project that aims to sign and verify container images using cosig...

25 Jun 2021 62
certified-kubernetes-security-specialist

References for CKS Exam Objectives - Certified Kubernetes Security Specialist

16 Sep 2020 137
docker-hello-world

Example hello world container showing how to use GitHub Container Registry

24 Feb 2021 14
slsa-github-generator-node

Secure build of npm artifact with provenance

17 Apr 2022 0
harp

Secret management by contract toolchain

25 Nov 2020 145
dottie

Simplify working with .env files

03 Feb 2024 11
dockle

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

23 May 2019 2,653
kontain.me

Container image registry that serves images built fresh when you ask for them

08 Dec 2018 212