verify installs

Author: anthony-nhs

.github/workflows/build_all_images.yml

@@ -37,9 +37,9 @@ jobs:
 
   build_tool_images:
     # build common tool images with a lower scoped github token
-    # as it uses a 3rd party docker image with github cli installed to verify attestation of tflint binary
-    # and we dont want to make a high scoped token available to that image
-    # token needs attestation read so it can verify attestation of tflint binary
+    # as it uses a 3rd party docker image with github cli installed to verify attestation of binaries downloaded from github
+    # and we don't want to make a high scoped token available to that image
+    # token needs attestation read so it can verify attestation of binaries
     name: Build tool images for on ${{ matrix.arch }}
     runs-on: '${{ matrix.runner }}'
     strategy:
@@ -59,23 +59,14 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
-      - name: build_grype
+      - name: build_tools
         run: |
-          make build-grype
+          make build-tools
           docker save "local_grype:latest" -o grype_image.tar
-      - name: build_syft
-        run: |
-          make build-syft
           docker save "local_syft:latest" -o syft_image.tar
-      - name: build_grant
-        run: |
-          make build-grant
           docker save "local_grant:latest" -o grant_image.tar
-
-      - name: build_tflint
-        run: |
-          make build-tflint
           docker save "local_tflint:latest" -o tflint_image.tar
+          docker save "local_zizmor:latest" -o zizmor_image.tar
         env:
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

Makefile

@@ -91,11 +91,24 @@ build-tflint:
 	else \
 		docker buildx build \
 			--secret id=GH_TOKEN,env=GITHUB_TOKEN \
-			-f src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint \
+			-f src/base/.devcontainer/Dockerfile.tflint \
 			--tag local_tflint:latest \
-			src/projects/eps-storage-terraform/.devcontainer/; \
+			src/base/.devcontainer/; \
 	fi
 
+build-zizmor:
+	@if docker image inspect local_zizmor:latest >/dev/null 2>&1; then \
+		echo "Image local_zizmor:latest already exists. Skipping build."; \
+	else \
+		docker buildx build \
+			--secret id=GH_TOKEN,env=GITHUB_TOKEN \
+			-f src/base/.devcontainer/Dockerfile.zizmor \
+			--tag local_zizmor:latest \
+			src/base/.devcontainer/; \
+	fi
+
+build-tools: build-syft build-grype build-grant build-tflint build-zizmor
+
 build-image: build-syft build-grype build-grant build-tflint guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
 	workspace_folder="$${CONTAINER_NAME}"; \
 	case "$${CONTAINER_NAME}" in \

src/base/.devcontainer/Dockerfile

@@ -1,20 +1,24 @@
 FROM local_syft:latest AS syft-build
 FROM local_grype:latest AS grype-build
 FROM local_grant:latest AS grant-build
+FROM local_zizmor:latest AS zizmor-build
 FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 
 ARG SCRIPTS_DIR=/usr/local/share/eps
 ARG CONTAINER_NAME
 ARG IMAGE_TAG
 ARG TARGETARCH
+ARG SAM_VERSION="v1.158.0"
 
 ENV SCRIPTS_DIR=${SCRIPTS_DIR}
 ENV CONTAINER_NAME=${CONTAINER_NAME}
 ENV TARGETARCH=${TARGETARCH}
+ENV SAM_VERSION=${SAM_VERSION}
 
 COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf
 COPY --chmod=755 scripts/lifecycle/*.sh ${SCRIPTS_DIR}/
 COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh
+COPY --chmod=755 scripts/install_aws_sam_cli.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_aws_sam_cli.sh
 COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk
 
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
@@ -23,7 +27,7 @@ RUN ./root_install.sh
 COPY --from=syft-build /syft /usr/local/bin/syft
 COPY --from=grype-build /grype /usr/local/bin/grype
 COPY --from=grant-build /grant /usr/local/bin/grant
-
+COPY --from=zizmor-build /zizmor /usr/local/bin/zizmor
 COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh
 USER vscode
 COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf

src/base/.devcontainer/Dockerfile.tflint

@@ -0,0 +1,24 @@
+FROM serversideup/github-cli:2.89.0 AS build
+ARG TARGETARCH
+ARG TFLINT_VERSION="v0.61.0"
+COPY --chmod=755 scripts/install_github_release.sh /tmp/install_github_release.sh
+RUN --mount=type=secret,id=GH_TOKEN,env=GH_TOKEN \
+    case "${TARGETARCH}" in \
+        x86_64|amd64) DOWNLOAD_BINARY=tflint_linux_amd64.zip ;; \
+        aarch64|arm64) DOWNLOAD_BINARY=tflint_linux_arm64.zip ;; \
+        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+    esac \
+    && INSTALL_DIR=/tmp/tflint/ \
+    ARCH="${TARGETARCH}" \
+    VERSION="${TFLINT_VERSION}" \
+    GITHUB_REPO="terraform-linters/tflint" \
+    TOOL="tflint" \ 
+    DOWNLOAD_BINARY="${DOWNLOAD_BINARY}" \
+    VERIFY_BINARY_ATTESTATION="false" \
+    VERIFY_CHECKSUM="true" \
+    COMPRESSION="zip" \
+    /tmp/install_github_release.sh
+
+FROM scratch
+COPY --from=build /tmp/tflint/tflint /tflint
+ENTRYPOINT ["/tflint"]

src/base/.devcontainer/Dockerfile.zizmor

@@ -0,0 +1,24 @@
+FROM serversideup/github-cli:2.89.0 AS build
+ARG TARGETARCH
+ARG ZIZMOR_VERSION="v1.24.1"
+COPY --chmod=755 scripts/install_github_release.sh /tmp/install_github_release.sh
+RUN --mount=type=secret,id=GH_TOKEN,env=GH_TOKEN \
+    case "${TARGETARCH}" in \
+        x86_64|amd64) DOWNLOAD_BINARY=zizmor-x86_64-unknown-linux-gnu.tar.gz ;; \
+        aarch64|arm64) DOWNLOAD_BINARY=zizmor-aarch64-unknown-linux-gnu.tar.gz  ;; \
+        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+    esac \
+    && INSTALL_DIR=/tmp/zizmor/ \
+    ARCH="${TARGETARCH}" \
+    VERSION="${ZIZMOR_VERSION}" \
+    GITHUB_REPO="zizmorcore/zizmor" \
+    TOOL="zizmor" \ 
+    DOWNLOAD_BINARY="${DOWNLOAD_BINARY}" \
+    VERIFY_BINARY_ATTESTATION="true" \
+    VERIFY_CHECKSUM="false" \
+    COMPRESSION="tar.gz" \
+    /tmp/install_github_release.sh
+
+FROM scratch
+COPY --from=build /tmp/zizmor/zizmor /zizmor
+ENTRYPOINT ["/zizmor"]

src/base/.devcontainer/devcontainer.json

@@ -21,7 +21,9 @@
         "moby": "true",
         "installDockerBuildx": "true"
       },
+      // fine to use github-cli feature here as it verifies the installation
       "ghcr.io/devcontainers/features/github-cli:1": {},
+      // fine to use aws-cli feature here as it verifies the installation
        "ghcr.io/devcontainers/features/aws-cli:1": {
           "version": "latest"
        }

src/base/.devcontainer/scripts/install_aws_sam_cli.sh

@@ -0,0 +1,161 @@
+#!/usr/bin/env bash
+
+set -e
+
+VERSION=${VERSION:-"latest"}
+VERBOSE=${VERBOSE:-"true"}
+
+PRIMARY_PUBLIC_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBGRuSzMBEADsqiwOy78w7F4+sshaMFRIwRGNRm94p5Qey2KMZBxekFtoryVD
+D9jEOnvupx4tvhfBHz5EcUHCEOdl4MTqdBy6vVAshozgxVb9RE8JpECn5lw7XC69
+4Y7Gy1TKKQMEWtDXElkGxIFdUWvWjSnPlzfnoXwQYGeE93CUS3h5dImP22Yk1Ct6
+eGGhlcbg1X4L8EpFMj7GvcsU8f7ziVI/PyC1Xwy39Q8/I67ip5eU5ddxO/xHqrbL
+YC7+8pJPbRMej2twT2LrcpWWYAbprMtRoa6WfE0/thoo3xhHpIMHdPfAA86ZNGIN
+kRLjGUg7jnPTRW4Oin3pCc8nT4Tfc1QERkHm641gTC/jUvpmQsM6h/FUVP2i5iE/
+JHpJcMuL2Mg6zDo3x+3gTCf+Wqz3rZzxB+wQT3yryZs6efcQy7nROiRxYBxCSXX0
+2cNYzsYLb/bYaW8yqWIHD5IqKhw269gp2E5Khs60zgS3CorMb5/xHgXjUCVgcu8a
+a8ncdf9fjl3WS5p0ohetPbO2ZjWv+MaqrZOmUIgKbA4RpWZ/fU97P5BW9ylwmIDB
+sWy0cMxg8MlvSdLytPieogaM0qMg3u5qXRGBr6Wmevkty0qgnmpGGc5zPiUbtOE8
+CnFFqyxBpj5IOnG0KZGVihvn+iRxrv6GO7WWO92+Dc6m94U0EEiBR7QiOwARAQAB
+tDRBV1MgU0FNIENMSSBQcmltYXJ5IDxhd3Mtc2FtLWNsaS1wcmltYXJ5QGFtYXpv
+bi5jb20+iQI/BBMBCQApBQJkbkszAhsvBQkHhM4ABwsJCAcDAgEGFQgCCQoLBBYC
+AwECHgECF4AACgkQQv1fenOtiFqTuhAAzi5+ju5UVOWqHKevOJSO08T4QB8HcqAE
+SVO3mY6/j29knkcL8ubZP/DbpV7QpHPI2PB5qSXsiDTP3IYPbeY78zHSDjljaIK3
+njJLMScFeGPyfPpwMsuY4nzrRIgAtXShPA8N/k4ZJcafnpNqKj7QnPxiC1KaIQWm
+pOtvb8msUF3/s0UTa5Ys/lNRhVC0eGg32ogXGdojZA2kHZWdm9udLo4CDrDcrQT7
+NtDcJASapXSQL63XfAS3snEc4e1941YxcjfYZ33rel8K9juyDZfi1slWR/L3AviI
+QFIaqSHzyOtP1oinUkoVwL8ThevKD3Ag9CZflZLzNCV7yqlF8RlhEZ4zcE/3s9El
+WzCFsozb5HfE1AZonmrDh3SyOEIBMcS6vG5dWnvJrAuSYv2rX38++K5Pr/MIAfOX
+DOI1rtA+XDsHNv9lSwSy0lt+iClawZANO9IXCiN1rOYcVQlwzDFwCNWDgkwdOqS0
+gOA2f8NF9lE5nBbeEuYquoOl1Vy8+ICbgOFs9LoWZlnVh7/RyY6ssowiU9vGUnHI
+L8f9jqRspIz/Fm3JD86ntZxLVGkeZUz62FqErdohYfkFIVcv7GONTEyrz5HLlnpv
+FJ0MR0HjrMrZrnOVZnwBKhpbLocTsH+3t5It4ReYEX0f1DIOL/KRwPvjMvBVkXY5
+hblRVDQoOWc=
+=d9oG
+-----END PGP PUBLIC KEY BLOCK-----"
+
+SIGNER_PUBLIC_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBGgrxIgBEADGCTudveeeVbWpZDGX9Ni57mBRMVSJwQJ6F/PC34jw0DozxTtd
+H+ZPsXLvLwerN/DVXbK8E1qNZ5RGptak8j7MPz+MC3n4txibEJpB61vpjJJM+9cC
+7whaMLDT/SbykHYXdrnHqa8KsUJl7rPLJcaRN722NSxvYVMIOA9ffVXV7cfEyZi5
+MbYF2Gc9LNbKaknImIva7EKeeh2/wI6YCqC5yytyfWU5dL6oHXsgTnFL9mhziMxv
+WhyzawyJG6EJZsJ3WLlbIKApN6XZSXyCxOvlBrebYZjD5v0nA+TJaQ7is8atjtOI
+DGe0AViw7kO8ChTpjA7YG/Uu7n/Fy7qLF/3Nz0b6cBNjemjBazQ3A3KNCpi5hqFM
+Uo1WpoVLr5CXQnc0B3fBUnTIoxi0Sk5MKjH9AbYxfgqEX0ZJB9hAlc6LIEy0Yru6
+MMBrIHE86IMl1NfE/DeLnCdPG23+1PttwyOt3+9z5QwmPe3VPpEfCySPcdxHKZSP
+rLile8qDznEvlPDvQ0qkBxdMtVa2yct5VJkdqy6UrN2xa0dpspHjRUjHh/EY/xMt
+fwMUjOKohaZ/1pjotCcksAsZWUxCNcFvLYxuxeytVk4F09Es1hj4ihhLUI+43/ic
+3DHSEiext7Q8/UccNArkhSCT7UOvvL7QTuP+pjYTyiC8Vx6g/Y5Ht5+qywARAQAB
+tDBBV1MgU0FNIENMSSBUZWFtIDxhd3Mtc2FtLWNsaS1zaWduZXJAYW1hem9uLmNv
+bT6JAj8EEwEJACkFAmgrxIgCGy8FCQPCZwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRBAlKuxvt/atJo6EAC/5C8uJs76W5f5V5XNAMzwBFiZuYpop3DRReCo
+P68ZZylokAC9ShRZnIOujpDJtlNS7T/G00BzmcpspkYYE531ALaXcHWmb9XV0Ajg
+J8iboAVBLY0C7mhL/cbJ3v9QlpXXjyTuhexkJCV8rdHVX/0H8WqTZplEaRuZ7p8q
+PMxddg4ClwstYuH3O/dmNdlGqfb4Fqy8MnV1yGSXRs5Jf+sDlN2UO4mbpyk/mr1c
+f/jFxmx86IkCWJVvdXWCVTe2AFy3NHCdLtdnEvFhokCOQd9wibUWX0j9vq4cVRZT
+qamnpAQaOlH3lXOwrjqo8b1AIPoRWSfMtCYvh6kA8MAJv4cAznzXILSLtOE0mzaU
+qp5qoy37wNIjeztX6c/q4wss05qTlJhnNu4s3nh5VHultooaYpmDxp+ala5TWeuM
+KZDI4KdAGF4z0Raif+N53ndOYIiXkY0goUbsPCnVrCwoK9PjjyoJncq7c14wNl5O
+IQUZEjyYAQDGZqs5XSfY4zW2cCXatrfozKF7R1kSU14DfJwPUyksoNAQEQezfXyq
+kr0gfIWK1r2nMdqS7WgSx/ypS5kdyrHuPZdaYfEVtuezpoT2lQQxOSZqqlp5hI4R
+nqmPte53WXJhbC0tgTIJWn+Uy/d5Q/aSIfD6o8gNLS1BDs1j1ku0XKu1sFCHUcZG
+aerdsIkCHAQQAQkABgUCaCvFeAAKCRBC/V96c62IWt3/D/9gOLzWtz62lqJRCsri
+wcA/yz88ayKb/GUv3FCT5Nd9JZt8y1tW+AE3SPTdcpfZmt5UN2sRzljO61mpKJzp
+eBvYQ9og/34ZrRQqeg8bz02u34LKYl1gD0xY0bWtB7TGIxIZZYqZECoPR0Dp6ZzB
+abzkRSsJkEk0vbZzJhfWFYs98qfp/G0suFSBE79O8Am33DB2jQ/Sollh1VmNE6Sv
+EOgR6+2yEkS2D0+msJMa/V82v9gBTPnxSlNV1d8Dduvt9rbM3LoxiNXUgx/s52yY
+U6H3bwUcQ3UY6uRe1UWo5QnMFcDwfg43+q5rmjB4xQyX/BaQyF5K0hZyG+42/pH1
+EMwl8qN617FTxo3hvQUi/cBahlhQ8EVYsGnHDVxLCisbq5iZvp7+XtmMy1Q417gT
+EQRo8feJh31elGWlccVR2pZgIm1PQ69dzzseHnnKkGhifik0bDGo5/IH2EgI1KFn
+SG399RMU/qRzOPLVP3i+zSJmhMqG8cnZaUwE5V4P21vQSclhhd2Hv/C4SVKNqA2i
++oZbHj2vAkuzTTL075AoANebEjPGqwsKZi5mWUE5Pa931JeiXxWZlEB7rkgQ1PAB
+fsDBhYLt4MxCWAhifLMA6uQ4BhXu2RuXOqNfSbqa8jVF6DB6cD8eAHGpPKfJOl30
+LtZnq+n4SfeNbZjD2FQWZR4CrA==
+=lHfs
+-----END PGP PUBLIC KEY BLOCK-----"
+
+if [ "$(id -u)" -ne 0 ]; then
+    echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
+    exit 1
+fi
+
+apt_get_update()
+{
+    if [ "$(find /var/lib/apt/lists/* | wc -l)" = "0" ]; then
+        echo "Running apt-get update..."
+        apt-get update -y
+    fi
+}
+
+# Checks if packages are installed and installs them if not
+check_packages() {
+    if ! dpkg -s "$@" > /dev/null 2>&1; then
+        apt_get_update
+        apt-get -y install --no-install-recommends "$@"
+    fi
+}
+
+export DEBIAN_FRONTEND=noninteractive
+
+check_packages curl ca-certificates gpg dirmngr unzip bash-completion less
+
+verify_aws_sam_cli_gpg_signature() {
+    local filePath=$1
+    local sigFilePath=$2
+    tmp_dir="$(mktemp -d)"
+    trap 'rm -rf "${tmp_dir}"' EXIT
+    local awsGpgKeyring="${tmp_dir}/aws-sam-cli-public-key.gpg"
+
+    echo "${PRIMARY_PUBLIC_KEY}" | gpg --dearmor > "${awsGpgKeyring}"
+    echo "${SIGNER_PUBLIC_KEY}" | gpg --dearmor >> "${awsGpgKeyring}"
+
+    gpg --batch --quiet --no-default-keyring --keyring "${awsGpgKeyring}" --verify "${sigFilePath}" "${filePath}"
+    local status=$?
+
+    return ${status}
+}
+
+install() {
+    tmp_dir="$(mktemp -d)"
+    trap 'rm -rf "${tmp_dir}"' EXIT
+
+    local scriptZipFile="${tmp_dir}/aws-sam-cli.zip"
+    local scriptSigFile="${tmp_dir}/aws-sam-cli.sig"
+
+    architecture=$(dpkg --print-architecture)
+    case "${architecture}" in
+        amd64) architectureStr=x86_64 ;;
+        arm64) architectureStr=arm64 ;;
+        *)
+            echo "AWS SAM CLI does not support machine architecture '$architecture'. Please use an x86-64 or ARM64 machine."
+            exit 1
+    esac
+    local scriptUrl=https://github.com/aws/aws-sam-cli/releases/download/${VERSION}/aws-sam-cli-linux-${architectureStr}.zip
+    echo "Downloading AWS SAM CLI from ${scriptUrl}..."
+    curl -fsSL "${scriptUrl}" -o "${scriptZipFile}"
+    curl -fsSL "${scriptUrl}.sig" -o "${scriptSigFile}"
+
+    verify_aws_sam_cli_gpg_signature "$scriptZipFile" "$scriptSigFile"
+    if (( $? > 0 )); then
+        echo "Could not verify GPG signature of AWS CLI install script. Make sure you provided a valid version."
+        exit 1
+    fi
+    echo "GPG signature of AWS SAM CLI install script verified successfully. Installing..."
+    unzip -q "${scriptZipFile}" -d "${tmp_dir}/aws-sam-cli"
+    "${tmp_dir}/aws-sam-cli/install"
+
+    echo "AWS SAM CLI installed successfully."
+}
+
+echo "(*) Installing AWS SAM CLI..."
+
+install
+
+# Clean up
+rm -rf /var/lib/apt/lists/*
+
+echo "Done!"

src/base/.devcontainer/scripts/install_github_release.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+export DEBIAN_FRONTEND=noninteractive
+
+DEFAULT_INSTALL_DIR="/usr/local/bin"
+INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}"
+
+if ! command -v curl >/dev/null 2>&1 || ! command -v unzip >/dev/null 2>&1; then
+	apt-get update
+	apt-get install -y --no-install-recommends curl unzip ca-certificates
+fi
+
+if ! command -v gh >/dev/null 2>&1; then
+	echo "GitHub CLI (gh) is required for attestation verification but was not found"
+	exit 1
+fi
+
+if [ "${VERIFY_BINARY_ATTESTATION}" != "true" ] && [ "${VERIFY_CHECKSUM}" != "true" ]; then
+	echo "VERIFY_BINARY_ATTESTATION or VERIFY_CHECKSUM must be set to true"
+	exit 1
+fi
+
+BINARY_URL="https://github.com/${GITHUB_REPO}/releases/download/${VERSION}/${DOWNLOAD_BINARY}"
+BINARY_ASSET_NAME="${DOWNLOAD_BINARY}"
+CHECKSUMS_URL="https://github.com/${GITHUB_REPO}/releases/download/${VERSION}/checksums.txt"
+tmp_dir="$(mktemp -d)"
+trap 'rm -rf "${tmp_dir}"' EXIT
+
+curl -fsSL "${BINARY_URL}" -o "${tmp_dir}/${BINARY_ASSET_NAME}"
+if [ "${VERIFY_BINARY_ATTESTATION}" == "true" ]; then
+	gh attestation verify "${tmp_dir}/${BINARY_ASSET_NAME}" -R "${GITHUB_REPO}"
+fi
+
+if [ "${VERIFY_CHECKSUM}" == "true" ]; then
+	curl -fsSL "${CHECKSUMS_URL}" -o "${tmp_dir}/checksums.txt"
+	gh attestation verify "${tmp_dir}/checksums.txt" -R "${GITHUB_REPO}"
+	(
+		cd "${tmp_dir}"
+		sha256sum --ignore-missing -c checksums.txt
+	)
+fi
+
+if [ "${COMPRESSION}" == "zip" ]; then
+	unzip -q "${tmp_dir}/${BINARY_ASSET_NAME}" -d "${tmp_dir}"
+elif [ "${COMPRESSION}" == "tar.gz" ]; then
+	tar -xzf "${tmp_dir}/${BINARY_ASSET_NAME}" -C "${tmp_dir}"
+else
+	echo "Unsupported compression format: ${COMPRESSION}"
+	exit 1
+fi
+
+mkdir -p "$INSTALL_DIR"
+install -m 0755 "$tmp_dir/$TOOL" "${INSTALL_DIR}/${TOOL}"