Security hardening (#7)

starkross · web-flow · commit 0ddbe7f06032 · 2026-04-07T17:27:01.000+02:00
* Security hardening
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,11 +10,14 @@ concurrency:
 permissions:
   contents: write
   packages: write
+  id-token: write # cosign keyless OIDC + SLSA provenance
 
 jobs:
   release:
     runs-on: ubuntu-latest
     timeout-minutes: 20
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
@@ -28,13 +31,41 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
+      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+      - uses: anchore/sbom-action/download-syft@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
       - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
         with:
           version: "~> v2"
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+      - name: Compute artifact hashes for SLSA provenance
+        id: hash
+        working-directory: dist
+        run: |
+          set -euo pipefail
+          shopt -s nullglob
+          subjects=(*.tar.gz *.zip *.deb *.rpm *.apk *.sbom.cdx.json checksums.txt)
+          if [ ${#subjects[@]} -eq 0 ]; then
+            echo "no release artifacts found in dist/" >&2
+            exit 1
+          fi
+          echo "hashes=$(sha256sum -- "${subjects[@]}" | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  # SLSA Level 3 build provenance for binary release artifacts.
+  # Reusable workflow MUST be referenced by tag (not commit SHA): the generator
+  # verifies its own ref and rejects unpinned references at runtime.
+  provenance:
+    needs: [release]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true
 
   verify:
     needs: release
@@ -56,6 +87,10 @@ jobs:
             method: homebrew
           - runner: ubuntu-latest
             method: go-install
+          - runner: ubuntu-latest
+            method: cosign-checksums
+          - runner: ubuntu-latest
+            method: cosign-image
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 10
     steps:
@@ -113,10 +148,47 @@ jobs:
           augur --version
 
       - name: Install from Homebrew
-        if: matrix.method == 'homebrew'
+        if: matrix.method == 'homebrew' && !contains(github.ref_name, '-')
         run: |
           brew install --cask starkross/tap/augur
           augur --version
 
+      - name: Skip Homebrew verify on pre-release
+        if: matrix.method == 'homebrew' && contains(github.ref_name, '-')
+        run: echo "Skipping Homebrew verify for pre-release ${GITHUB_REF_NAME} (tap is not updated for pre-releases by design)."
+
+      - name: Install cosign
+        if: startsWith(matrix.method, 'cosign-')
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Verify checksums.txt cosign signature
+        if: matrix.method == 'cosign-checksums'
+        env:
+          IDENTITY_REGEX: https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/tags/v.*
+          OIDC_ISSUER: https://token.actions.githubusercontent.com
+        run: |
+          set -euo pipefail
+          base="https://github.com/${{ github.repository }}/releases/download/${GITHUB_REF_NAME}"
+          curl -fsSL "${base}/checksums.txt"     -o checksums.txt
+          curl -fsSL "${base}/checksums.txt.sig" -o checksums.txt.sig
+          curl -fsSL "${base}/checksums.txt.pem" -o checksums.txt.pem
+          cosign verify-blob \
+            --certificate checksums.txt.pem \
+            --signature   checksums.txt.sig \
+            --certificate-identity-regexp "${IDENTITY_REGEX}" \
+            --certificate-oidc-issuer     "${OIDC_ISSUER}" \
+            checksums.txt
+
+      - name: Verify container image cosign signature
+        if: matrix.method == 'cosign-image'
+        env:
+          IDENTITY_REGEX: https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/tags/v.*
+          OIDC_ISSUER: https://token.actions.githubusercontent.com
+        run: |
+          set -euo pipefail
+          cosign verify "ghcr.io/starkross/augur:${{ steps.version.outputs.version }}" \
+            --certificate-identity-regexp "${IDENTITY_REGEX}" \
+            --certificate-oidc-issuer     "${OIDC_ISSUER}"
+
       - name: Verify version output
         run: echo "Successfully installed augur ${{ steps.version.outputs.version }} via ${{ matrix.method }}"
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -32,8 +32,11 @@ kos:
     repositories:
       - ghcr.io/starkross/augur
     platforms: [linux/amd64, linux/arm64]
-    tags: ["{{ .Version }}", latest]
+    tags:
+      - "{{ .Version }}"
+      - '{{ if not .Prerelease }}latest{{ end }}'
     bare: true
+    sbom: cyclonedx
     ldflags: [-s, -w, "-X main.version={{.Version}}"]
     labels:
       org.opencontainers.image.title: "{{ .ProjectName }}"
@@ -50,10 +53,46 @@ homebrew_casks:
     homepage: https://github.com/starkross/augur
     description: Policy-driven linter for OpenTelemetry configurations
     license: Apache-2.0
+    skip_upload: auto
+
+release:
+  prerelease: auto
 
 checksum:
   name_template: checksums.txt
 
+sboms:
+  - id: archive
+    artifacts: archive
+    documents:
+      - "${artifact}.sbom.cdx.json"
+    cmd: syft
+    args: [scan, "$artifact", --output, "cyclonedx-json=$document"]
+
+signs:
+  - id: checksums
+    cmd: cosign
+    certificate: "${artifact}.pem"
+    signature: "${artifact}.sig"
+    args:
+      - sign-blob
+      - "--yes"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+    artifacts: checksum
+    output: true
+
+docker_signs:
+  - id: images
+    cmd: cosign
+    args:
+      - sign
+      - "--yes"
+      - "${artifact}"
+    artifacts: manifests
+    output: true
+
 nfpms:
   - package_name: augur
     maintainer: starkross
diff --git a/README.md b/README.md
@@ -162,3 +162,21 @@ augur --policy ./my-policies config.yaml
 ```
 
 Custom policies are **merged** with the built-in rules — your rules run alongside all default checks.
+
+## Security
+
+Every release is reproducibly built and signed:
+
+- **CycloneDX SBOMs** for every archive and every container image
+- **Cosign keyless signatures** (sigstore OIDC) on `checksums.txt` and on the published OCI image
+- **SLSA Level 3 build provenance** for binary artifacts
+
+Quick verification of a release:
+
+```sh
+cosign verify ghcr.io/starkross/augur:vX.Y.Z \
+  --certificate-identity-regexp 'https://github.com/starkross/augur/\.github/workflows/release\.yml@refs/tags/v.*' \
+  --certificate-oidc-issuer     'https://token.actions.githubusercontent.com'
+```
+
+See [SECURITY.md](SECURITY.md) for the full verification recipe (binaries, images, SLSA provenance, SBOMs) and the vulnerability disclosure process.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,85 @@
+# Security
+
+## Supply chain
+
+Every tagged release of `augur` ships with the following supply-chain artifacts:
+
+| Artifact | Format | Where |
+|----------|--------|-------|
+| Binary archives | `tar.gz` / `zip` | GitHub release page |
+| Linux packages | `deb`, `rpm`, `apk` | GitHub release page |
+| Container images | OCI (linux/amd64, linux/arm64) | `ghcr.io/starkross/augur` |
+| SBOM (per archive) | CycloneDX JSON | `<archive>.sbom.cdx.json` on the release page |
+| SBOM (per image) | CycloneDX, attached as OCI referrer | discoverable via `cosign download sbom` |
+| Checksums | SHA-256 | `checksums.txt` |
+| Cosign signature (checksums) | sigstore keyless | `checksums.txt.sig` + `checksums.txt.pem` |
+| Cosign signature (image) | sigstore keyless | OCI signature in registry |
+| SLSA build provenance | in-toto bundle | `multiple.intoto.jsonl` on the release page |
+
+Signatures are produced with **cosign keyless** (sigstore OIDC). The signing identity is the release workflow itself — there is no long-lived signing key to leak or rotate.
+
+## Verifying a release
+
+You will need [`cosign`](https://docs.sigstore.dev/cosign/installation/) (≥ v2.0). Replace `vX.Y.Z` with the release tag you want to verify.
+
+### 1. Verify `checksums.txt` and then verify your binary
+
+```sh
+TAG=vX.Y.Z
+BASE="https://github.com/starkross/augur/releases/download/${TAG}"
+
+curl -fsSLO "${BASE}/checksums.txt"
+curl -fsSLO "${BASE}/checksums.txt.sig"
+curl -fsSLO "${BASE}/checksums.txt.pem"
+
+cosign verify-blob \
+  --certificate checksums.txt.pem \
+  --signature   checksums.txt.sig \
+  --certificate-identity-regexp 'https://github.com/starkross/augur/\.github/workflows/release\.yml@refs/tags/v.*' \
+  --certificate-oidc-issuer     'https://token.actions.githubusercontent.com' \
+  checksums.txt
+
+# Now verify your downloaded binary matches the signed checksum
+curl -fsSLO "${BASE}/augur_${TAG#v}_linux_amd64.tar.gz"
+sha256sum --ignore-missing --check checksums.txt
+```
+
+### 2. Verify the container image
+
+```sh
+cosign verify ghcr.io/starkross/augur:vX.Y.Z \
+  --certificate-identity-regexp 'https://github.com/starkross/augur/\.github/workflows/release\.yml@refs/tags/v.*' \
+  --certificate-oidc-issuer     'https://token.actions.githubusercontent.com'
+```
+
+### 3. Verify SLSA build provenance
+
+```sh
+# Install slsa-verifier: https://github.com/slsa-framework/slsa-verifier
+slsa-verifier verify-artifact \
+  --provenance-path multiple.intoto.jsonl \
+  --source-uri github.com/starkross/augur \
+  --source-tag  vX.Y.Z \
+  augur_${TAG#v}_linux_amd64.tar.gz
+```
+
+### 4. Inspect the SBOM
+
+```sh
+# For an archive: download <archive>.sbom.cdx.json from the release page.
+
+# For a container image:
+cosign download sbom ghcr.io/starkross/augur:vX.Y.Z > augur.sbom.cdx.json
+```
+
+The SBOM is in [CycloneDX 1.5+](https://cyclonedx.org/) JSON. Feed it to your scanner of choice (`grype`, `trivy sbom`, Dependency-Track, etc.).
+
+## Reporting a vulnerability
+
+Please **do not open a public GitHub issue** for security vulnerabilities. Instead, use GitHub's private vulnerability reporting:
+
+1. Go to https://github.com/starkross/augur/security/advisories
+2. Click **Report a vulnerability**
+3. Provide a description, reproduction steps, and the affected versions
+
+We will acknowledge the report within a few working days and coordinate disclosure.
