coder · matifali · Mar 13, 2025 · Mar 11, 2025 · Mar 12, 2025 · Mar 12, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1024,6 +1024,7 @@ jobs:
       # Necessary to push docker images to ghcr.io.
       packages: write
       # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+      # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
       id-token: write
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
@@ -1069,6 +1070,16 @@ jobs:
       - name: Install zstd
         run: sudo apt-get install -y zstd
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        with:
+          cosign-release: "v2.4.3"
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+        with:
+          syft-version: "v1.20.0"
+
       - name: Setup Windows EV Signing Certificate
         run: |
           set -euo pipefail

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -122,6 +122,7 @@ jobs:
       # Necessary to push docker images to ghcr.io.
       packages: write
       # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+      # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
       id-token: write
     env:
       # Necessary for Docker manifest
@@ -246,6 +247,16 @@ jobs:
             apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
           rm /tmp/rcodesign.tar.gz
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        with:
+          cosign-release: "v2.4.3"
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+        with:
+          syft-version: "v1.20.0"
+
       - name: Setup Apple Developer certificate and API key
         run: |
           set -euo pipefail
@@ -361,6 +372,7 @@ jobs:
           file: scripts/Dockerfile.base
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           provenance: true
+          sbom: true
           pull: true
           no-cache: true
           push: true

diff --git a/dogfood/coder/Dockerfile b/dogfood/coder/Dockerfile
@@ -278,7 +278,9 @@ ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \
 	KUBECTX_VERSION=0.9.4 \
 	STRIPE_VERSION=1.14.5 \
 	TERRAGRUNT_VERSION=0.45.11 \
-	TRIVY_VERSION=0.41.0
+	TRIVY_VERSION=0.41.0 \
+	SYFT_VERSION=1.20.0 \
+	COSIGN_VERSION=2.4.3
 
 # cloud_sql_proxy, for connecting to cloudsql instances
 # the upstream go.mod prevents this from being installed with go install
@@ -316,7 +318,13 @@ RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_prox
 	chmod a=rx /usr/local/bin/terragrunt && \
 	# AquaSec Trivy for scanning container images for security issues
 	curl --silent --show-error --location "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- trivy
+	tar --extract --gzip --directory=/usr/local/bin --file=- trivy && \
+	# Anchore Syft for SBOM generation
+	curl --silent --show-error --location "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux-amd64.tar.gz" | \
+	tar --extract --gzip --directory=/usr/local/bin --file=- syft \
+	# Sigstore Cosign for artifact signing and attestation
+	curl --silent --show-error --location --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \
+	chmod a=rx /usr/local/bin/cosign
 
 # We use yq during "make deploy" to manually substitute out fields in
 # our helm values.yaml file. See https://github.com/helm/helm/issues/3141

diff --git a/dogfood/coder/files/etc/docker/daemon.json b/dogfood/coder/files/etc/docker/daemon.json
@@ -1,3 +1,6 @@
 {
-	"registry-mirrors": ["https://mirror.gcr.io"]
+	"registry-mirrors": ["https://mirror.gcr.io"],
+	"features": {
+		"containerd-snapshotter": true
+	}
 }
diff --git a/flake.nix b/flake.nix
@@ -113,6 +113,7 @@
             bat
             cairo
             curl
+            cosign
             delve
             dive
             drpc.defaultPackage.${system}
@@ -161,6 +162,7 @@
             shellcheck
             (pinnedPkgs.shfmt)
             sqlc
+            syft
             unstablePkgs.terraform
             typos
             which

diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
@@ -153,4 +153,17 @@ if [[ "$push" == 1 ]]; then
 	docker push "$image_tag" 1>&2
 fi
 
+log "--- Generating SBOM for Docker image ($image_tag)"
+syft "$image_tag" -o spdx-json >"${image_tag}.spdx.json"
+
+if [[ "$push" == 1 ]]; then
+	log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
+	COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"
+
+	COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
+		--predicate "${image_tag}.spdx.json" \
+		--yes \
+		"$image_tag"
+fi
+
 echo "$image_tag"
-Original file line number
+Diff line change
@@ Expand Up / @@ -113,6 +113,7 @@ @@
                 bat
                 cairo
                 curl
+                cosign
                 delve
                 dive
                 drpc.defaultPackage.${system}
@@ Expand Down Expand Up / @@ -161,6 +162,7 @@ @@
                 shellcheck
                 (pinnedPkgs.shfmt)
                 sqlc
+                syft
                 unstablePkgs.terraform
                 typos
                 which
@@ Expand Down @@