Found artifact build without evidence of cosign sbom attestation in pipeline

Description

This policy checks if a GitHub Actions workflow contains a build process without evidence of cosign SBOM (Software Bill of Materials) attestation. Cosign SBOM attestation is crucial for ensuring the integrity and security of the software supply chain by verifying the provenance of artifacts. Without this attestation, the workflow may be vulnerable to tampering or malicious activity. It's essential to include cosign SBOM attestation in the workflow to guarantee the security of the build process.

Code Example

yaml

- name: Build and sign SBOM
  run: |
    mkdir -p /tmp/sbom
    cosign generate /tmp/sbom/sbom.json
    cosign sign /tmp/sbom/sbom.json

Remediation

Ensure that the workflow includes a step for cosign SBOM attestation after the build process.

Rule Details

Field	Value
ID	IAC-1029
Severity	MEDIUM
IaC Type	github_actions
Frameworks	jobs
Checkov ID	CKV_GHA_6

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Found artifact build without evidence of cosign sbom attestation in pipeline

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Found artifact build without evidence of cosign sbom attestation in pipeline ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Found artifact build without evidence of cosign sbom attestation in pipeline

Description

Code Example

Remediation

Rule Details

References