Zion Boggan
repos/security-portfolio/cicd-supply-chain-security/index.html
zionboggan.com ↗
Code Commits Tags
327 lines · html
History for this file →
1
<!doctype html>
2
<html lang="en">
3
<head>
4
<meta charset="utf-8">
5
<meta name="viewport" content="width=device-width, initial-scale=1.0">
6
<title>CI/CD Supply-Chain Security | Zion Boggan</title>
7
<meta name="description" content="Proves the artifact, not just the source: keyless Cosign signing, a signed SPDX SBOM, grype scanning, and a Kyverno admission policy that refuses anything it can&amp;#x27;t verify.">
8
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
9
<style>
10
  :root{
11
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
12
    --line:#222936; --line2:#2c3543;
13
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
14
    --accent:#6cc7b8; --accent-dim:#274b47;
15
    --maxw:1020px;
16
  }
17
  *{box-sizing:border-box;}
18
  html{scroll-behavior:smooth;}
19
  body{margin:0;background:var(--bg);color:var(--ink);
20
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
21
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
22
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
23
  a{color:var(--accent);text-decoration:none;}
24
  a:hover{color:#8fe0d2;}
25
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
26
27
  /* nav */
28
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
29
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
30
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
31
  nav .brand{font-weight:600;letter-spacing:.2px;}
32
  nav .brand .dot{color:var(--accent);}
33
  nav .links{display:flex;gap:26px;font-size:13.5px;}
34
  nav .links a{color:var(--muted);}
35
  nav .links a:hover{color:var(--ink);}
36
  @media(max-width:680px){nav .links{display:none;}}
37
38
  /* hero */
39
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
40
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
41
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
42
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
43
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
44
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
45
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
46
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
47
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
48
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
49
  .hero .lede b{color:var(--ink);font-weight:600;}
50
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
51
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
52
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
53
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
54
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
55
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
56
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
57
  .meta .mono{color:var(--faint);}
58
59
  /* sections */
60
  section{padding:64px 0;border-bottom:1px solid var(--line);}
61
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
62
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
63
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
64
  .shead .rule{flex:1;height:1px;background:var(--line);}
65
66
  /* flagship */
67
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
68
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
69
  .flag .top{padding:30px 32px 8px;}
70
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
71
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
72
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
73
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
74
  .flag p{color:var(--soft);margin:0 0 16px;}
75
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
76
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
77
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
78
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
79
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
80
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
81
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
82
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
83
  .spec li:first-child{border-top:none;}
84
  .spec li span{color:var(--muted);}
85
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
86
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
87
88
  /* lab cards */
89
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
90
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
91
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
92
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
93
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
94
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
95
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
96
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
97
  .card h3{margin:0 0 9px;font-size:17px;}
98
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
99
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
100
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
101
    border-radius:5px;padding:3px 8px;}
102
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
103
  .card .lnk::after{content:" โ†’";}
104
105
  /* research */
106
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
107
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
108
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
109
    padding:18px 22px;border-top:1px solid var(--line);}
110
  .ritem:first-child{border-top:none;}
111
  .ritem:hover{background:var(--panel);}
112
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
113
  .ritem h3{margin:0 0 3px;font-size:16px;}
114
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
115
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
116
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
117
  .progs{margin-top:22px;}
118
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
119
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
120
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
121
    border-radius:6px;padding:4px 10px;}
122
123
  /* credentials */
124
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
125
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
126
  .cred p{color:var(--soft);margin:0 0 14px;}
127
  .cred .role{font-size:14px;color:var(--muted);}
128
  .cred .role b{color:var(--ink);font-weight:600;}
129
  .certs{list-style:none;margin:0;padding:0;}
130
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
131
    display:flex;gap:10px;align-items:baseline;}
132
  .certs li:first-child{border-top:none;}
133
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
134
135
  footer{padding:46px 0 64px;}
136
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
137
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
138
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
139
140
  /* detail pages */
141
  .detail-hero{padding:40px 0 28px;}
142
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:22px;font-family:ui-monospace,Menlo,monospace;}
143
  .back:hover{color:var(--ink);}
144
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
145
  .detail-hero h1{font-size:clamp(28px,5vw,42px);margin:0 0 12px;letter-spacing:-.6px;}
146
  .detail-hero .tagline{font-size:clamp(16px,2.2vw,19px);color:var(--soft);max-width:780px;margin:0 0 18px;}
147
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(148px,1fr));gap:12px;margin-top:24px;}
148
  figure{margin:0;}
149
  .shot{border:1px solid var(--line2);border-radius:12px;overflow:hidden;background:#fff;margin:30px 0 6px;}
150
  .shot img,.shot video{display:block;width:100%;height:auto;}
151
  figcaption{font-size:13px;color:var(--muted);margin:11px 2px 0;}
152
  .content{padding:6px 0 0;}
153
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:44px 0 16px;font-weight:600;border-top:1px solid var(--line);padding-top:30px;}
154
  .content h2.first{border-top:none;padding-top:6px;margin-top:18px;}
155
  .content p{color:var(--soft);margin:0 0 16px;}
156
  .content ul,.content ol{color:var(--soft);margin:0 0 16px;padding-left:22px;}
157
  .content li{margin:6px 0;}
158
  .content strong{color:var(--ink);font-weight:600;}
159
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:13px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
160
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
161
  .content pre code{background:none;border:none;padding:0;font-size:12.5px;color:var(--soft);line-height:1.62;}
162
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.5px;}
163
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
164
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
165
  .content td code{font-size:12px;}
166
  .gallery{margin-top:8px;}
167
  .repo-line{margin:42px 0 0;color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace;}
168
</style>
169
<link rel="canonical" href="https://zionboggan.com/cicd-supply-chain-security/">
170
<meta name="author" content="Zion Boggan">
171
<meta name="robots" content="index, follow, max-image-preview:large">
172
<meta property="og:type" content="article">
173
<meta property="og:site_name" content="Zion Boggan">
174
<meta property="og:title" content="CI/CD Supply-Chain Security | Zion Boggan">
175
<meta property="og:description" content="Proves the artifact, not just the source: keyless Cosign signing, a signed SPDX SBOM, grype scanning, and a Kyverno admission policy that refuses anything it can&amp;#x27;t verify.">
176
<meta property="og:url" content="https://zionboggan.com/cicd-supply-chain-security/">
177
<meta property="og:image" content="https://zionboggan.com/assets/cicd-supply-chain-security/01-cosign-sign-verify.png">
178
<meta name="twitter:card" content="summary_large_image">
179
<meta name="twitter:title" content="CI/CD Supply-Chain Security | Zion Boggan">
180
<meta name="twitter:description" content="Proves the artifact, not just the source: keyless Cosign signing, a signed SPDX SBOM, grype scanning, and a Kyverno admission policy that refuses anything it can&amp;#x27;t verify.">
181
<meta name="twitter:image" content="https://zionboggan.com/assets/cicd-supply-chain-security/01-cosign-sign-verify.png">
182
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"CI/CD Supply-Chain Security","description":"Proves the artifact, not just the source: keyless Cosign signing, a signed SPDX SBOM, grype scanning, and a Kyverno admission policy that refuses anything it can&amp;#x27;t verify.","url":"https://zionboggan.com/cicd-supply-chain-security/","image":"https://zionboggan.com/assets/cicd-supply-chain-security/01-cosign-sign-verify.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
183
</head>
184
<body>
185
<nav><div class="wrap">
186
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
187
  <span class="links">
188
    <a href="/#oversight">Oversight</a>
189
    <a href="/#labs">Labs</a>
190
    <a href="/#research">Research</a>
191
    <a href="/#background">Background</a>
192
    <a href="/">Home</a>
193
  </span>
194
</div></nav>
195
<header class="hero detail-hero"><div class="wrap">
196
  <a class="back" href="/#labs">&larr; All work</a>
197
  <div class="kicker">SUPPLY CHAIN</div>
198
  <h1>CI/CD Supply-Chain Security</h1>
199
  <p class="tagline">Proves the artifact, not just the source: keyless Cosign signing, a signed SPDX SBOM, grype scanning, and a Kyverno admission policy that refuses anything it can&#x27;t verify.</p>
200
  <div class="tags"><span>Cosign</span><span>Sigstore</span><span>syft</span><span>grype</span><span>Kyverno</span><span>Rekor</span><span>Fulcio</span><span>GitHub Actions</span><span>GHCR</span><span>SPDX</span></div>
201
  <div class="facts"><div class="stat"><div class="n">4</div><div class="k">Chained CI jobs: build, scan, sign, verify</div></div><div class="stat"><div class="n">0</div><div class="k">Private keys to store (keyless Fulcio OIDC)</div></div><div class="stat"><div class="n">SPDX</div><div class="k">SBOM format (spdx-json), signed as attestation</div></div><div class="stat"><div class="n">high</div><div class="k">grype severity-cutoff that fails the build</div></div><div class="stat"><div class="n">2</div><div class="k">Kyverno rules: signature + SBOM, both required</div></div><div class="stat"><div class="n">1.12.5</div><div class="k">Kyverno CLI pinned for policy tests in CI</div></div></div>
202
  <div class="cta" style="margin-top:24px"></div>
203
</div></header>
204
<section><div class="wrap">
205
  <figure class="shot"><img loading="lazy" src="/assets/cicd-supply-chain-security/01-cosign-sign-verify.png" alt="Cosign sign and verify mechanics, and the rejection that follows the moment a signed artifact is modified."></figure><figcaption>Cosign sign and verify mechanics, and the rejection that follows the moment a signed artifact is modified.</figcaption>
206
  <div class="content">
207
  <h2>Keyless signing with Sigstore</h2>
208
<p>There is no private key to manage or leak. Cosign requests a short-lived certificate from Fulcio bound to the GitHub Actions OIDC identity (<code>https://github.com/&lt;owner&gt;/&lt;repo&gt;</code>), signs the image, and logs the signature to the Rekor transparency log. That is why the workflow requests <code>id-token: write</code> &mdash; without it there is no OIDC token to exchange for a signing certificate. The <code>sign</code> job runs verbatim:</p><pre><code>- name: sign image keyless
209
  run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }}
210
211
- uses: actions/download-artifact@v4
212
  with:
213
    name: sbom
214
215
- name: attach sbom attestation
216
  run: |
217
    cosign attest --yes \
218
      --predicate sbom.spdx.json \
219
      --type spdxjson \
220
      ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }}</code></pre><p>Verification checks the certificate <strong>identity</strong> and <strong>issuer</strong> rather than a key you have to rotate. An image built somewhere else simply cannot produce a signature from this repo's identity.</p>
221
<h2>SBOM + scanning</h2>
222
<p>After the image is built and pushed to GHCR by digest, the <code>scan</code> job uses Anchore's <code>syft</code> to generate an SPDX-JSON SBOM from the actual pushed image, then <code>grype</code> scans that image. The build fails on any high or critical CVE, so an unsigned-and-vulnerable image never reaches the registry as a release. Both steps target the digest, not the tag:</p><pre><code>- id: sbom
223
  uses: anchore/sbom-action@v0
224
  with:
225
    image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }}
226
    format: spdx-json
227
    output-file: sbom.spdx.json
228
229
- uses: anchore/scan-action@v5
230
  id: grype
231
  with:
232
    image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }}
233
    fail-build: true
234
    severity-cutoff: high</code></pre><p>The same two tools drive local reproduction through the <code>Makefile</code> &mdash; <code>syft $(IMAGE) -o spdx-json=sbom.spdx.json</code> for the SBOM and <code>grype $(IMAGE) --fail-on high</code> for the scan &mdash; so the gate behaves identically on a laptop and in CI. The resulting <code>sbom.spdx.json</code> is uploaded as a workflow artifact and handed to the <code>sign</code> job, which attaches it as a signed Cosign attestation of type <code>spdxjson</code>, tying the contents to the same OIDC identity that signed the image.</p>
235
<h2>In-pipeline verification (fail-closed)</h2>
236
<p>Signing isn't trusted on faith. A dedicated <code>verify</code> job depends on both <code>build</code> and <code>sign</code> and re-checks the signature and the SBOM attestation against the certificate identity and issuer before the run is considered successful. If either check fails, the job exits non-zero and the run is red:</p><pre><code>- name: verify signature and provenance
237
  run: |
238
    cosign verify \
239
      --certificate-identity-regexp "^https://github.com/${{ github.repository_owner }}/" \
240
      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
241
      ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }}
242
243
- name: verify sbom attestation
244
  run: |
245
    cosign verify-attestation \
246
      --type spdxjson \
247
      --certificate-identity-regexp "^https://github.com/${{ github.repository_owner }}/" \
248
      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
249
      ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }}</code></pre><p>Verification is matched against a <strong>regexp</strong> on the certificate subject (<code>^https://github.com/&lt;owner&gt;/</code>) and an exact OIDC issuer (<code>https://token.actions.githubusercontent.com</code>). There is no anonymous or unverified path: an image with no signature, a signature from a different identity, or a missing SBOM attestation all produce a non-zero exit. The same logic is factored into <code>policy/verify.sh</code> for verifying any image by hand.</p>
250
<h2>Kyverno admission policy</h2>
251
<p><code>policy/kyverno-verify-images.yaml</code> is a Kyverno <code>ClusterPolicy</code> in <code>Enforce</code> mode (<code>failurePolicy: Fail</code>, <code>background: false</code>) that gates every Pod whose image matches <code>ghcr.io/zionboggan/*</code>. The first rule requires a keyless Cosign signature verified against the public Rekor instance, rewrites the tag to a digest on admission, and marks the check <code>required: true</code>:</p><pre><code>spec:
252
  validationFailureAction: Enforce
253
  webhookTimeoutSeconds: 30
254
  failurePolicy: Fail
255
  background: false
256
  rules:
257
    - name: check-cosign-signature
258
      match:
259
        any:
260
          - resources:
261
              kinds:
262
                - Pod
263
      verifyImages:
264
        - imageReferences:
265
            - "ghcr.io/zionboggan/*"
266
          attestors:
267
            - count: 1
268
              entries:
269
                - keyless:
270
                    subject: "https://github.com/zionboggan/*"
271
                    issuer: "https://token.actions.githubusercontent.com"
272
                    rekor:
273
                      url: https://rekor.sigstore.dev
274
          mutateDigest: true
275
          verifyDigest: true
276
          required: true</code></pre><p>The second rule, <code>require-sbom-attestation</code>, demands an SPDX attestation (<code>type: https://spdx.dev/Document</code>) from that same keyless identity, so no image is admitted without a verifiable bill of materials:</p><pre><code>    - name: require-sbom-attestation
277
      match:
278
        any:
279
          - resources:
280
              kinds:
281
                - Pod
282
      verifyImages:
283
        - imageReferences:
284
            - "ghcr.io/zionboggan/*"
285
          attestations:
286
            - type: https://spdx.dev/Document
287
              attestors:
288
                - count: 1
289
                  entries:
290
                    - keyless:
291
                        subject: "https://github.com/zionboggan/*"
292
                        issuer: "https://token.actions.githubusercontent.com"</code></pre><p>Because <code>mutateDigest: true</code> rewrites tags to digests at admission, a Pod can't be pinned to a tag that later moves. A signed image from the pipeline is admitted; an arbitrary <code>nginx:latest</code> is rejected.</p>
293
<h2>Tamper detection</h2>
294
<p>The moment a signed artifact is modified, the signature no longer matches the digest and verification is rejected. The demo re-tags or rebuilds the image so its content (and therefore its digest) changes, then runs the same verifier &mdash; which now fails because no Fulcio certificate in Rekor is bound to the new digest:</p><pre><code>$ cosign verify \
295
    --certificate-identity-regexp "^https://github.com/zionboggan/" \
296
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
297
    ghcr.io/zionboggan/cicd-supply-chain-security@sha256:&lt;tampered-digest&gt;
298
Error: no matching signatures:
299
300
main.go:74: error during command execution: no matching signatures:</code></pre><p>The screenshot below demonstrates the same mechanics offline with a local key pair: a valid <code>cosign verify</code> against the signed image, then the rejection the instant the artifact is altered. Because every step &mdash; build output, scan target, sign, attest, verify, and the Kyverno admission rewrite &mdash; operates on <code>@sha256:...</code>, signing a tag never silently degrades to signing a mutable pointer, and tampering is always caught at the digest boundary.</p>
301
<h2>Tamper resistance and transparency</h2>
302
<p>This layer defends against the attacks where the source is fine but the artifact isn't, and each maps to a concrete control:</p><table><thead><tr><th>Attack</th><th>Control</th></tr></thead><tbody><tr><td>Registry account compromised, tag repointed at a malicious image</td><td>Kyverno resolves tags to digests on admission and requires a signature over that digest; moving a tag doesn't move the signature</td></tr><tr><td>Build runner tampered with, producing a backdoored image</td><td>Signature is tied to the workflow's OIDC identity; an image built elsewhere can't sign as <code>https://github.com/zionboggan/...</code></td></tr><tr><td>Dependency with a known high/critical CVE pulled at build time</td><td>grype scans the built image and fails the build before signing happens</td></tr><tr><td>Image deployed whose contents nobody can account for</td><td>SPDX SBOM generated from the actual image, signed as an attestation, required at admission &mdash; no SBOM, no deploy</td></tr></tbody></table><p>Every signature and attestation is recorded in Rekor, giving an append-only, auditable record of what was signed, by which identity, and when. If a signing identity is ever misused, the log is where you would find every artifact it touched.</p>
303
<h2>Testing the policy in CI</h2>
304
<p>A separate <code>admission-policy-check</code> workflow runs on pull requests that touch <code>policy/**</code>. It installs a pinned Kyverno CLI (<code>v1.12.5</code>) and runs the policy against <code>policy/test/pods.yaml</code>, which contains one signed Pod (<code>ghcr.io/zionboggan/cicd-supply-chain-security</code>) and one unsigned <code>docker.io/library/nginx:latest</code> Pod, so the allow and deny paths are both exercised before the policy can change:</p><pre><code>- name: install kyverno cli
305
  run: |
306
    curl -sLo kyverno.tar.gz https://github.com/kyverno/kyverno/releases/download/v1.12.5/kyverno-cli_v1.12.5_linux_x86_64.tar.gz
307
    tar -xzf kyverno.tar.gz kyverno
308
    sudo install kyverno /usr/local/bin/
309
310
- name: validate policy
311
  run: kyverno apply policy/kyverno-verify-images.yaml --resource policy/test/pods.yaml</code></pre><p>The same steps are wired into the <code>Makefile</code> targets (<code>build</code>, <code>sbom</code>, <code>scan</code>, <code>sign</code>, <code>verify</code>, <code>policy-test</code>) for local reproduction, with <code>policy-test</code> calling the identical <code>kyverno apply</code> invocation.</p>
312
  </div>
313
314
  <p class="repo-line">Repository &middot; github.com/zionboggan/cicd-supply-chain-security</p>
315
</div></section>
316
<footer><div class="wrap row">
317
  <div class="links">
318
    <a href="/">Portfolio</a>
319
    <a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a>
320
    <a href="https://oversightprotocol.dev/">Oversight</a>
321
    <a href="mailto:zionboggan0@gmail.com">Email</a>
322
  </div>
323
  <div class="note">Built and deployed on a self-hosted Proxmox homelab. This page mirrors the
324
  project's documentation and results so the work is fully viewable here.</div>
325
</div></footer>
326
</body>
327
</html>