@@ -62,8 +62,10 @@ echo "==========================================================================
6262echo " Finished getting docker digest and tags"
6363echo " ============================================================================================"
6464
65+ echo ' ## Secure Software Supply Chain :rocket:' >> " $GITHUB_STEP_SUMMARY "
6566if [ -n " ${SIGN} " ]
6667then
68+ echo ' ### Sign image' >> " $GITHUB_STEP_SUMMARY "
6769 echo " Signing image"
6870
6971 COSIGN_KEY=$( mktemp /tmp/cosign.XXXXXXXXXX) || exit 1
7880
7981 echo " Verify signing"
8082 cosign verify --key " $COSIGN_PUB " " $docker_registry_prefix " /" $imagename " @" ${containerdigest} "
81-
82- echo " ::notice::Image is signed. You can verify it with the following command."
83- echo " ::notice::cosign verify --key cosign.pub $docker_registry_prefix /$imagename @${containerdigest} "
83+
84+ {
85+ echo ' Image is signed. You can verify it with the following command:'
86+ echo ' ```bash'
87+ echo " cosign verify --key cosign.pub $docker_registry_prefix /$imagename @${containerdigest} "
88+ echo ' ```'
89+ } >> " $GITHUB_STEP_SUMMARY "
8490fi
8591
8692if [ -n " ${SLSA_PROVENANCE} " ]
8793then
94+ echo " ### SLSA Provenance" >> " $GITHUB_STEP_SUMMARY "
8895 echo " Running SLSA Provenance"
8996
9097 encoded_github=" $( echo " $GITHUB_CONTEXT " | base64 -w 0) "
@@ -116,13 +123,18 @@ then
116123 echo " Attest predicate"
117124 cosign attest --predicate provenance-predicate.json --key " $COSIGN_KEY " --type slsaprovenance " $docker_registry_prefix " /" $imagename " @" ${containerdigest} "
118125
119- echo " ::notice::SLSA Provenance file is attested. You can verify it with the following command."
120- echo " ::notice::cosign verify-attestation --key cosign.pub $docker_registry_prefix /$imagename @${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType==\" https://slsa.dev/provenance/v0.2\" ) | .'"
126+ {
127+ echo " SLSA Provenance file is attested. You can verify it with the following command."
128+ echo ' ```bash'
129+ echo " cosign verify-attestation --key cosign.pub $docker_registry_prefix /$imagename @${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType==\" https://slsa.dev/provenance/v0.2\" ) | .'"
130+ echo ' ```'
131+ } >> " $GITHUB_STEP_SUMMARY "
121132 fi
122133fi
123134
124135if [ -n " ${SBOM} " ]
125136then
137+ echo " ### SBOM" >> " $GITHUB_STEP_SUMMARY "
126138 echo " Using Syft to generate SBOM"
127139
128140 syft packages " $docker_registry_prefix " /" $imagename " @" ${containerdigest} " -o spdx-json=sbom-spdx-formatted.json
@@ -145,8 +157,13 @@ then
145157
146158 echo " Done attesting the SBOM"
147159
148- echo " ::notice::SBOM file is attested. You can verify it with the following command."
149- echo " ::notice::cosign verify-attestation --key cosign.pub $docker_registry_prefix /$imagename @${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType==\" https://spdx.dev/Document\" ) | .predicate.Data | fromjson | .'"
160+ {
161+ echo " SBOM file is attested. You can verify it with the following command."
162+ echo ' ```bash'
163+ echo " cosign verify-attestation --key cosign.pub $docker_registry_prefix /$imagename @${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType==\" https://spdx.dev/Document\" ) | .predicate.Data | fromjson | .'"
164+ echo ' ```'
165+ } >> " $GITHUB_STEP_SUMMARY "
166+
150167 fi
151168fi
152169
0 commit comments