feat(supply-chain): cosign-verify argus images + security policy doc

Closes hardening items (3) and (4) from "Secret Handling & Credential
Surface Hardening" in docs/developer/SDK-ROADMAP.md.

Item (3) — cosign + digest-pin verification at pull time:

- argus/core/image_verify.py: new module classifies every pulled
  image into one of four paths:
    * argus-owned (ghcr.io/huntridge-labs/argus/*): cosign keyless
      verify against the publish workflow's identity + GitHub
      Actions OIDC issuer. Failure is fatal — scanner does not run.
    * third-party with @sha256: digest pin: Docker enforces
      content-hash match at pull, no cosign call. Logged at DEBUG.
    * third-party with tag-only pin: no crypto guarantee. One
      WARNING per scan run via report_tag_pinned_summary listing
      every tag-pinned image with a migration hint.
    * verification disabled: skipped wholesale (DEBUG log).
- argus/core/engine.py: _run_in_container now calls verify_image
  right after _pull_image succeeds, accumulating results in
  self._verify_results. Fatal verification raises RuntimeError
  before subprocess.run, so the scanner subprocess never starts.
  Summary tag-pinned WARNING emitted once at end of run().
- argus/core/config.py: ExecutionConfig.verify_image_signatures
  defaults to True. Opt-out for air-gapped environments via
  execution.verify_image_signatures: false in argus.yml.
- argus/core/schema.py: new bool-typed config key with validator.
- Stdlib + cosign binary on PATH; no Python sigstore dependency.
  Fails up front with an install hint if cosign is missing.

Item (4) — written policy doc:

- docs/security.md: TL;DR table, threat model (defends-against +
  does-not-defend-against), credential precedence with worked
  examples (stdin > <field>_env > literal), container image
  provenance section walking through each verification path, the
  air-gapped opt-out, and a vulnerability-reporting pointer to
  GitHub Security Advisories.

Tests:
- argus/tests/core/test_image_verify.py: 21 tests covering image
  classification, all four verification paths, cosign output
  truncation, the tag-pinned summary dedup/no-warning behavior.
- argus/tests/test_engine.py::TestSupplyChainVerificationGate: 6
  engine-integration tests verifying the verify-then-run gate,
  cosign-fail-aborts-scanner contract, third-party digest-pin
  no-cosign-call, tag-only summary at run end, opt-out behavior,
  and missing-cosign-binary fatal handling.

.ai/ updates:
- architecture.yaml: new core/image_verify.py entry in both SDK
  structure blocks describing classification + engine integration.

Roadmap:
- Items (3) and (4) flipped to shipped with implementation summary
  and links. Items (5) — defensive audit-trail redact — remains
  queued.

Full suite: 3107 passed (+27 new), 2 skipped.

Follow-up roadmap item already noted: migrate third-party image
tags in argus/containers.py to @sha256: digest pins. Renovate can
keep them current once pinned.

Author: eFAILution

.ai/architecture.yaml

@@ -39,6 +39,7 @@ components:
       "core/tool_config.py": "Auto-discovery of per-scanner canonical config files (.bandit, .checkov.yaml, trivy.yaml, osv-scanner.toml, semgrep.yml)"
       "core/sbom.py": "SBOM format detection (CycloneDX JSON/XML, SPDX JSON/tag-value, Syft JSON) for ``argus scan --sbom``"
       "core/secrets.py": "Credential resolution for any scanner config field. resolve_secret(config, field, *, stdin_override=None) accepts three forms in precedence order: stdin_override (highest, populated by CLI --*-password-stdin flags via a module-level slot registry — set_stdin_override / get_stdin_override / clear_stdin_overrides), <field>_env (env-var name reference; reads os.environ at scan time), or <field> literal (back-compat, warned at config-load if vendor-shaped via looks_like_literal_secret). The stdin path never reaches the per-scanner config dict so it can't leak into argus-audit.json / argus.log. validate_env_var_name enforces POSIX shell identifier rules. Stdlib-only. Used by scanners.container and scanners.zap; future scanners with credential needs use the same helper. See ADR-024."
+      "core/image_verify.py": "Supply-chain verification for container images at pull time. verify_image(ref) classifies the ref into: argus-owned (ghcr.io/huntridge-labs/argus/* — cosign keyless verify against the publish workflow's identity + GitHub Actions OIDC issuer; failure is fatal), third-party with @sha256: digest pin (Docker enforces content-hash match at pull, no cosign call needed), or third-party tag-only (logged once per scan via report_tag_pinned_summary). Engine calls this after _pull_image succeeds; fatal results raise RuntimeError before the scanner runs. Config knob: execution.verify_image_signatures (default True; opt-out for air-gapped). Stdlib + cosign binary on PATH; no Python sigstore dep. See docs/security.md."
       "core/findings_view.py": "Shared UI-free logic for findings display — ViewState, SEVERITY_ORDER, finding_detail_rows, compute_summary, diff_scans (scan-over-scan bucketing keyed off (scanner, id, location)). Consumed by argus view terminal (TUI ``D`` keybind, DiffScreen) and argus view browser (web UI ``/diff`` route)."
       "viewers/": "`argus view` interfaces (optional extras)"
       "viewers/__init__.py": "ViewerUnavailable shared exception"
@@ -472,6 +473,7 @@ docsite:
       "core/tool_config.py": "Auto-discovery of per-scanner canonical config files (.bandit, .checkov.yaml, trivy.yaml, osv-scanner.toml, semgrep.yml)"
       "core/sbom.py": "SBOM format detection (CycloneDX JSON/XML, SPDX JSON/tag-value, Syft JSON) for ``argus scan --sbom``"
       "core/secrets.py": "Credential resolution for any scanner config field. resolve_secret(config, field, *, stdin_override=None) accepts three forms in precedence order: stdin_override (highest, populated by CLI --*-password-stdin flags via a module-level slot registry — set_stdin_override / get_stdin_override / clear_stdin_overrides), <field>_env (env-var name reference; reads os.environ at scan time), or <field> literal (back-compat, warned at config-load if vendor-shaped via looks_like_literal_secret). The stdin path never reaches the per-scanner config dict so it can't leak into argus-audit.json / argus.log. validate_env_var_name enforces POSIX shell identifier rules. Stdlib-only. Used by scanners.container and scanners.zap; future scanners with credential needs use the same helper. See ADR-024."
+      "core/image_verify.py": "Supply-chain verification for container images at pull time. verify_image(ref) classifies the ref into: argus-owned (ghcr.io/huntridge-labs/argus/* — cosign keyless verify against the publish workflow's identity + GitHub Actions OIDC issuer; failure is fatal), third-party with @sha256: digest pin (Docker enforces content-hash match at pull, no cosign call needed), or third-party tag-only (logged once per scan via report_tag_pinned_summary). Engine calls this after _pull_image succeeds; fatal results raise RuntimeError before the scanner runs. Config knob: execution.verify_image_signatures (default True; opt-out for air-gapped). Stdlib + cosign binary on PATH; no Python sigstore dep. See docs/security.md."
       "core/findings_view.py": "Shared UI-free logic for findings display — ViewState, SEVERITY_ORDER, finding_detail_rows, compute_summary, diff_scans (scan-over-scan bucketing keyed off (scanner, id, location)). Consumed by argus view terminal (TUI ``D`` keybind, DiffScreen) and argus view browser (web UI ``/diff`` route)."
       "viewers/": "`argus view` interfaces (optional extras)"
       "viewers/__init__.py": "ViewerUnavailable shared exception"

argus/core/config.py

@@ -45,6 +45,14 @@ class ExecutionConfig:
     # enough overlap to win on a 5-scanner run with distinct images, low
     # enough that ghcr.io / dockerhub don't throttle.
     prewarm_workers: int = 4
+    # Supply-chain: cosign-verify argus-owned container images on pull
+    # (third-party with @sha256: digest pins are trusted by Docker's
+    # pull-time content match; tag-only third-party images log one
+    # WARNING per scan run). Default True — fail-closed for the
+    # 4 images argus itself publishes. Opt out wholesale by setting
+    # this to False (e.g., air-gapped environments with no Sigstore /
+    # Rekor network access). See docs/security.md.
+    verify_image_signatures: bool = True
 
 
 @dataclass
@@ -241,4 +249,5 @@ def _parse_execution_config(raw: dict | None) -> ExecutionConfig:
         pull_policy=raw.get("pull_policy", "if-not-present"),
         prewarm_images=bool(raw.get("prewarm_images", True)),
         prewarm_workers=int(raw.get("prewarm_workers", 4)),
+        verify_image_signatures=bool(raw.get("verify_image_signatures", True)),
     )

argus/core/engine.py

@@ -68,6 +68,12 @@ def __init__(self, config: ArgusConfig):
         # can consult it from a worker thread without arg-threading every
         # internal call site.
         self._prewarmer = None
+        # Supply-chain verification results, one per container pull this
+        # run. Consumed by ``report_tag_pinned_summary`` at end of
+        # ``run()`` to emit a single WARNING listing tag-pinned third-
+        # party images (rather than N warnings for N scanners).
+        from argus.core.image_verify import VerifyResult  # local import
+        self._verify_results: list[VerifyResult] = []
 
     def register_scanner(self, scanner: Scanner) -> None:
         """Register a scanner instance for use by the engine."""
@@ -192,6 +198,13 @@ def run(
             # network already has the bandwidth — no point racing it).
             self._shutdown_prewarm()
 
+            # Supply-chain: one WARNING per run listing all third-party
+            # tag-pinned images. Logged here (not per-scanner) so a
+            # user with N scanners pointing at trivy doesn't see N
+            # identical warnings.
+            from argus.core.image_verify import report_tag_pinned_summary
+            report_tag_pinned_summary(self._verify_results)
+
         # TODO: Add total_duration_ms to ScanSummary for audit trail.
         # Requires a model change (new field on the ScanSummary dataclass).
         # Per-scanner duration_ms is already recorded in each ScanResult.metadata.
@@ -759,6 +772,43 @@ def _run_in_container(
             if not self._pull_image(image):
                 raise RuntimeError(f"Failed to pull container image: {image}")
 
+        # Supply-chain verification (ADR-024 + roadmap item #3):
+        #   - argus-owned images get cosign-verified against the
+        #     publish workflow's identity; failure aborts the scanner;
+        #   - third-party images with @sha256: digest pins are trusted
+        #     by Docker's pull-time content-hash enforcement;
+        #   - third-party tag-only pins log nothing here — the engine
+        #     emits a single summary WARNING at end of ``run()``.
+        # Default is verify_image_signatures=True (security-first); the
+        # user can opt out wholesale via execution.verify_image_signatures.
+        from argus.core.image_verify import verify_image, VerifyStatus
+        verify_signatures = getattr(
+            self.config.execution, "verify_image_signatures", True,
+        )
+        v = verify_image(image, verify_signatures=verify_signatures)
+        self._verify_results.append(v)
+        if v.is_fatal:
+            logger.error(
+                "Supply-chain verification FAILED for '%s' (%s): %s",
+                image, v.status.value, v.message,
+            )
+            raise RuntimeError(
+                f"Supply-chain verification failed for {image}: "
+                f"{v.message}"
+            )
+        if v.status == VerifyStatus.VERIFIED_COSIGN:
+            logger.info(
+                "Supply-chain: %s — cosign verified (argus-owned)", image,
+            )
+        elif v.status == VerifyStatus.VERIFIED_DIGEST_PIN:
+            logger.debug(
+                "Supply-chain: %s — verified via digest pin", image,
+            )
+        elif v.status == VerifyStatus.SKIPPED_BY_CONFIG:
+            logger.debug(
+                "Supply-chain: %s — verification disabled by config", image,
+            )
+
         digest = self._get_image_digest(image)
         logger.info(
             "Running '%s' in container: %s (digest=%s)",

argus/core/image_verify.py

@@ -0,0 +1,236 @@
+"""Container image signature / pin verification.
+
+Two complementary supply-chain checks are run for every image argus
+pulls:
+
+  * **Argus-owned images** (``ghcr.io/huntridge-labs/argus/*``) are
+    cosign-signed at publish time via keyless Sigstore. We verify
+    each pull against the expected certificate identity (our publish
+    workflow URI) and OIDC issuer (GitHub Actions). Verification
+    failure is fatal — refuse to run the scanner.
+
+  * **Third-party images** (Trivy, Grype, Checkov, OSV, ZAP,
+    Hadolint, ESLint, etc.) are not in our signing surface. Two
+    sub-paths:
+      - ``image@sha256:...`` (digest pin): trust by content hash.
+        Docker enforces digest match at pull time, so the pull
+        itself *is* the verification — we report this and move on.
+      - tag-only (``image:tag``): no cryptographic guarantee. We
+        let the scan proceed but emit a single WARNING listing the
+        tag-pinned images, with a hint to migrate to digest pins.
+
+The combined policy is documented in ``docs/security.md`` and is
+the implementation of items (3) + (4) from the
+*Secret Handling & Credential Surface Hardening* roadmap section.
+
+Stdlib + ``cosign`` binary only — no Python sigstore dependency to
+keep the install lean.
+"""
+
+from __future__ import annotations
+
+import logging
+import shutil
+import subprocess
+from dataclasses import dataclass
+from enum import Enum
+from typing import Iterable
+
+logger = logging.getLogger("argus")
+
+
+# The Fulcio certificate's ``subject`` field for keyless sigstore
+# signatures captures the URI of the GitHub workflow that performed
+# the signing. We anchor verification to *our* publish workflow plus
+# *our* OIDC issuer; the certificate-identity regexp is permissive
+# across refs (tags, branches) so a workflow-internal change doesn't
+# force a security-policy update.
+ARGUS_OWNED_PREFIX = "ghcr.io/huntridge-labs/argus/"
+ARGUS_CERT_IDENTITY_REGEXP = (
+    r"^https://github\.com/huntridge-labs/argus/"
+    r"\.github/workflows/publish-release\.yml@"
+)
+ARGUS_OIDC_ISSUER = "https://token.actions.githubusercontent.com"
+
+
+class VerifyStatus(Enum):
+    """Outcome of a single image verification attempt."""
+
+    VERIFIED_COSIGN = "verified_cosign"
+    VERIFIED_DIGEST_PIN = "verified_digest_pin"
+    SKIPPED_TAG_PIN = "skipped_tag_pin"
+    SKIPPED_BY_CONFIG = "skipped_by_config"
+    FAILED_COSIGN = "failed_cosign"
+    FAILED_COSIGN_BINARY_MISSING = "failed_cosign_binary_missing"
+
+
+@dataclass(frozen=True)
+class VerifyResult:
+    """The result of verifying a single image reference."""
+
+    status: VerifyStatus
+    image: str
+    message: str
+
+    @property
+    def is_fatal(self) -> bool:
+        """True if the scanner using this image must NOT run."""
+        return self.status in (
+            VerifyStatus.FAILED_COSIGN,
+            VerifyStatus.FAILED_COSIGN_BINARY_MISSING,
+        )
+
+
+def is_argus_owned(image: str) -> bool:
+    """Return True if ``image`` is published from this repository."""
+    return image.startswith(ARGUS_OWNED_PREFIX)
+
+
+def has_digest_pin(image: str) -> bool:
+    """Return True if ``image`` has a content-addressable ``@sha256:`` pin."""
+    return "@sha256:" in image
+
+
+def verify_image(
+    image: str,
+    *,
+    verify_signatures: bool = True,
+    cosign_runner=None,
+) -> VerifyResult:
+    """Verify a single image reference.
+
+    ``cosign_runner`` is an optional callable for tests; it receives
+    the argv list and must return a ``subprocess.CompletedProcess``-
+    shaped object with ``returncode``, ``stdout``, ``stderr``. The
+    default uses ``subprocess.run`` with cosign on PATH.
+    """
+    if not image:
+        return VerifyResult(
+            status=VerifyStatus.SKIPPED_BY_CONFIG,
+            image=image,
+            message="empty image reference — nothing to verify",
+        )
+
+    if not verify_signatures:
+        return VerifyResult(
+            status=VerifyStatus.SKIPPED_BY_CONFIG,
+            image=image,
+            message="signature verification disabled via "
+                    "execution.verify_image_signatures: false",
+        )
+
+    # Argus-owned: cosign verify, fail-on-failure.
+    if is_argus_owned(image):
+        return _verify_cosign(image, cosign_runner=cosign_runner)
+
+    # Third-party with digest pin: Docker enforces content-hash match
+    # at pull. No additional verification needed.
+    if has_digest_pin(image):
+        return VerifyResult(
+            status=VerifyStatus.VERIFIED_DIGEST_PIN,
+            image=image,
+            message="verified via @sha256 digest pin (Docker enforces "
+                    "content-hash match at pull)",
+        )
+
+    # Third-party with tag-only pin: no crypto guarantee. Let the scan
+    # proceed but report so the caller can warn once per run.
+    return VerifyResult(
+        status=VerifyStatus.SKIPPED_TAG_PIN,
+        image=image,
+        message="third-party image is tag-pinned (mutable). Pull "
+                "succeeds but no signature or digest guarantee. "
+                "Migrate to image@sha256:... for content-addressable "
+                "trust.",
+    )
+
+
+def _verify_cosign(image: str, *, cosign_runner=None) -> VerifyResult:
+    """Run ``cosign verify`` against an argus-owned image."""
+    if cosign_runner is None:
+        if not shutil.which("cosign"):
+            return VerifyResult(
+                status=VerifyStatus.FAILED_COSIGN_BINARY_MISSING,
+                image=image,
+                message=(
+                    "cosign binary not on PATH but signature verification "
+                    "is enabled. Install cosign (https://docs.sigstore.dev/cosign/installation/) "
+                    "or set execution.verify_image_signatures: false in "
+                    "argus.yml to opt out."
+                ),
+            )
+        cosign_runner = _default_cosign_runner
+
+    cmd = [
+        "cosign", "verify", image,
+        "--certificate-identity-regexp", ARGUS_CERT_IDENTITY_REGEXP,
+        "--certificate-oidc-issuer", ARGUS_OIDC_ISSUER,
+    ]
+    try:
+        result = cosign_runner(cmd)
+    except FileNotFoundError:
+        return VerifyResult(
+            status=VerifyStatus.FAILED_COSIGN_BINARY_MISSING,
+            image=image,
+            message=(
+                "cosign binary not on PATH but signature verification "
+                "is enabled. Install cosign or set "
+                "execution.verify_image_signatures: false."
+            ),
+        )
+
+    if result.returncode == 0:
+        return VerifyResult(
+            status=VerifyStatus.VERIFIED_COSIGN,
+            image=image,
+            message="cosign keyless verify passed "
+                    "(identity=argus publish workflow, "
+                    "issuer=token.actions.githubusercontent.com)",
+        )
+
+    # Cosign failure — surface stderr so the user can act. Be careful
+    # not to log credential-shaped strings; cosign output is the
+    # canonical Sigstore/Fulcio error path and doesn't carry secrets.
+    stderr = (result.stderr or "").strip()
+    return VerifyResult(
+        status=VerifyStatus.FAILED_COSIGN,
+        image=image,
+        message=(
+            f"cosign verify FAILED for argus-owned image. "
+            f"cosign output: {stderr[:500]}"
+        ),
+    )
+
+
+def _default_cosign_runner(cmd: list[str]) -> subprocess.CompletedProcess:
+    """Production cosign runner — captures output, never raises on rc != 0."""
+    return subprocess.run(
+        cmd, capture_output=True, text=True,
+        encoding="utf-8", errors="replace",
+    )
+
+
+def report_tag_pinned_summary(results: Iterable[VerifyResult]) -> None:
+    """Emit one WARNING summarizing third-party tag-pinned images.
+
+    Called once per scan run after all verification has occurred so
+    users don't get N separate warnings for N scanners pointing at the
+    same registry. Silent if nothing was tag-pinned.
+    """
+    tag_pinned = [
+        r.image for r in results
+        if r.status == VerifyStatus.SKIPPED_TAG_PIN
+    ]
+    if not tag_pinned:
+        return
+    # Deduplicate but preserve order (Python 3.7+ dict ordering).
+    unique = list(dict.fromkeys(tag_pinned))
+    logger.warning(
+        "%d third-party image(s) pulled with mutable tag pins "
+        "(no cryptographic guarantee): %s. Migrate to "
+        "@sha256:... digest pins in argus/containers.py for "
+        "content-addressable trust. See docs/security.md for the "
+        "supply-chain policy.",
+        len(unique),
+        ", ".join(unique),
+    )

argus/core/schema.py

@@ -71,6 +71,7 @@
     "pull_policy",
     "prewarm_images",
     "prewarm_workers",
+    "verify_image_signatures",
 }
 
 # Top-level containers block keys
@@ -416,6 +417,16 @@ def _validate_execution(path: str, data: Any) -> list[ConfigError]:
                 f"Must be a positive integer (>=1), got {workers!r}",
             ))
 
+    # Supply-chain signature verification flag — bool
+    if "verify_image_signatures" in data and not isinstance(
+        data["verify_image_signatures"], bool,
+    ):
+        errors.append(ConfigError(
+            f"{path}.verify_image_signatures",
+            f"Must be a boolean (true/false), got "
+            f"{type(data['verify_image_signatures']).__name__}",
+        ))
+
     return errors