Add pre-submit to verify base images (#592)

* Add comments to verify new base image digests

* Add pre-submit to verify Dockerfile base images.

* add step to install cosign

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Use specific golang version for tag

Signed-off-by: Ian Lewis <ianlewis@google.com>

* retab

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Add description comment

Signed-off-by: Ian Lewis <ianlewis@google.com>

Signed-off-by: Ian Lewis <ianlewis@google.com>

.github/actions/detect-workflow/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang@sha256:9349ed889adb906efa5ebc06485fe1b6a12fb265a01c9266a137bb1352565560 as builder
+FROM golang:1.18.5@sha256:5540a6a6b3b612c382accc545b3f6702de21e77b15d89ad947116c94b5f42993 as builder
 
 WORKDIR /app
 COPY . /app
@@ -22,8 +22,6 @@ RUN go get -d -v
 # Statically compile our app for use in a distroless container
 RUN CGO_ENABLED=0 go build -ldflags="-w -s" -v -o app .
 
-# A distroless container image with some basics like SSL certificates
-# https://github.com/GoogleContainerTools/distroless
 FROM gcr.io/distroless/static@sha256:21d3f84a4f37c36199fd07ad5544dcafecc17776e3f3628baf9a57c8c0181b3f
 
 COPY --from=builder /app/app /app

.github/workflows/pre-submit.base-images.yml

@@ -0,0 +1,20 @@
+name: pre-submit base images
+
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  verify-base-images:
+    name: verify base images
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - name: install cosign
+        uses: sigstore/cosign-installer@b3413d484cc23cf8778c3d2aa361568d4eb54679 # tag=v2.5.1
+      - name: verify images
+        run: ./.github/workflows/scripts/verify-base-images.sh

.github/workflows/scripts/distroless.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q
+OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA==
+-----END PUBLIC KEY-----

.github/workflows/scripts/verify-base-images.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# verify-base-images.sh verifies that base images used in Dockerfiles are
+# referenced by image digest and signed by their developers. It should be run at
+# the git repository's root directory.
+#
+# distroless images are verified with cosign using the distroless project's
+# public key available here:
+# https://github.com/GoogleContainerTools/distroless#how-do-i-verify-distroless-images
+#
+# All other images are assumed to be Docker official images that are signed
+# using Docker Content Trust (https://docs.docker.com/engine/security/trust/).
+# The public key for Docker official images in included in Docker releases by
+# default so no signers or keys need to be added.
+
+set -euo pipefail
+
+# NOTE: Use read to avoid whitespace issues.
+find . -name Dockerfile -print0 | while IFS= read -r -d '' f; do
+    echo "Checking $f"
+    grep "^FROM " "$f" | while IFS= read -r line; do
+        image_full=$(echo "$line" | awk '{ print $2 }')
+        image_name=$(echo "$image_full" | cut -d '@' -f 1)
+        image_sha=$(echo "$image_full" | cut -d '@' -f 2- | cut -d ':' -f 2-)
+
+        echo "Verifying base image $image_full"
+
+        # verify that the image contains a sha.
+        if [ "$image_sha" == "" ]; then
+            echo "\"$image_full\" should be referenced by digest."
+            exit 2
+        fi
+
+        # verify distroless base images.
+        if [[ "$image_name" == gcr.io/distroless/* ]]; then
+            # verify the image signature.
+            cosign verify --key .github/workflows/scripts/distroless.pub "$image_full"
+        else
+            # All other base images should be signed using Docker Content Trust.
+            if ! (DOCKER_CONTENT_TRUST=1 docker trust inspect --pretty "$image_name" | grep "$image_sha"); then
+                echo "$image_full: unable to verify Docker Content Trust."
+                exit 2
+            fi
+        fi
+    done
+done