Skip to content

sfox-equinix/cosign-buildkite-plugin

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.github
.github
 
 
hooks
hooks
 
 
tests
tests
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
plugin.yml
plugin.yml
 
 
renovate.json
renovate.json
 
 

Repository files navigation

cosign buildkite plugin

The cosign buildkite plugin provides a convenient mechanism for running the open-source cosign container signing tool for your containers. For more information about cosign, please refer to their documentation.

Features

  • Automatically downloads and verifies the cosign executable if it cannot be found in the PATH environment variable's directories

Basic signing example

The following code snippet demonstrates how to use the plugin in a pipeline step with the default plugin configuration parameters:

steps:
  - command: ls
    plugins:
      - equinixmetal-buildkite/cosign#v0.1.0:
          image: "ghcr.io/my-project/my-image:latest"
          keyless: true
          keyless-config:
            fulcio-url: "https://fulcio.sigstore.dev"
            rekor-url: "https://rekor.sigstore.dev"

This will use keyless signatures and upload the signature to the same repository as the image. Note that if the Fulcio URL and Rekor URL are not specified, the plugin will use the default values presented.

Configuration

image (Required, string)

References the image to sign

keyless (Optional, boolean)

If set to true, the plugin will use keyless signatures. If set to false, the plugin will use a keypair. If not specified, the plugin will default to true.

keyless-config (Optional, object)

If keyless is set to true, the plugin will use the following configuration parameters to sign the image:

  • fulcio_url (Optional, string): The URL of the Fulcio server to use. If not specified, the plugin will default to https://fulcio.sigstore.dev.
  • rekor_url (Optional, string): The URL of the Rekor server to use. If not specified, the plugin will default to https://rekor.sigstore.dev.

keyed-config (Optional, object)

If keyless is set to false, the plugin will use the following configuration parameters to sign the image:

  • key (Required, string): The path to the private key to use.

cosign-version (Optional, string)

Controls the version of cosign to be used.

Developing

To run the tests:

make test

Run the tests with debug logging enabled:

TEST_DEBUG=1 make test

To enable debug logging for a stubbed command in the test, you need to set or uncomment the export for the necessary command in the .bats file.

e.g. to view the debug logging for the cosign command, set the following at the top of the .bats file:

export cosign_STUB_DEBUG=/dev/tty

and then run the tests with debug logging enabled:

TEST_DEBUG=1 make test

About

A Buildkite plugin to run cosign and sign or verify your containers!

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 92.1%
  • Makefile 7.9%