Found artifact build without evidence of cosign sign execution in pipeline

Description

This policy checks if a GitHub Actions workflow that builds artifacts also includes a step to sign the artifacts with cosign. Signing artifacts is crucial for ensuring the integrity and authenticity of the software supply chain. Without proper signing, artifacts can be tampered with, potentially leading to security breaches. This check helps prevent such vulnerabilities by enforcing the use of cosign for artifact signing in GitHub Actions workflows.

Code Example

yaml

- name: Build and sign artifact
  run: |
    # Build commands here...
    cosign sign -key <key> <artifact>

Remediation

Add a step to the workflow to sign the artifacts with cosign after the build step.

Rule Details

Field	Value
ID	IAC-1028
Severity	MEDIUM
IaC Type	github_actions
Frameworks	jobs
Checkov ID	CKV_GHA_5

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Found artifact build without evidence of cosign sign execution in pipeline

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Found artifact build without evidence of cosign sign execution in pipeline ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Found artifact build without evidence of cosign sign execution in pipeline

Description

Code Example

Remediation

Rule Details

References