Verify SLSA Provenance with Harness GitHub Actions
Harness GitHub Actions provide a seamless way to integrate Harness's Software Supply Chain Security (SCS) capabilities directly into GitHub workflows. You can use this GitHub Action to perform various supply chain security tasks.
The Harness GitHub Action includes multiple sub-actions, each designed for specific tasks. This document focuses on the harness/github-actions/slsa-verification
sub-action, which is used to generate an SBOM and attest it if needed.
The harness/github-actions/slsa-verification
verifies the SLSA provenance attestation by pulling the .att
file from the configured container registry. It uses the public key from the key pair that was used for signing the attestation to perform the verification.
Keys for attestation and verification should be generated using Cosign and stored in HashiCorp Vault. Currently, Harness SCS supports only HashiCorp Vault. Support for additional Key Management Systems (KMS) will be introduced in the near future.
Requirements
Here are the prerequisites for using the GitHub Action.
-
Harness Account: Ensure you have a Harness account with the SCS license enabled.
-
Harness Account Details: Save the following Harness account details, which are required for all sub-actions. It is recommended to securely store these values using GitHub Secrets.
Key | Value Example | Description | Required |
---|---|---|---|
HARNESS_ACCOUNT_URL | https://example.harness.io | The URL of your Harness account. | Yes |
HARNESS_ACCOUNT_ID | ppdfedDDDL_dharzdPs_JtWT7g | The unique identifier for your Harness account. | Yes |
HARNESS_ORG_ID | SCS | The identifier for your Harness organization. | Yes |
HARNESS_PROJECT_ID | SCS_ORG | The identifier for your Harness project within the organization. | Yes |
HARNESS_API_KEY | ${{ secrets.SCS_API_KEY }} | The API key for authenticating with Harness. Create an API key using a Service Account (recommended) or a Personal Account , and then add the key to GitHub Actions Secrets with "HARNESS_API_KEY" as the key name. | Yes |
VAULT_ADDR | https://myvault.example.com | The URL of your Vault | No |
- Security Keys: For attestation generation and verification, Key pair is required. The key should be generated using Cosign of type
ecdsa-P256
. Currently, HashiCorp Vault is supported for storing and retrieving the key. Additional Key Management Services (KMS) will be supported in the future.
Usage Example
- name: SLSA Verification
uses: harness/github-actions/slsa-verification
with:
HARNESS_ACCOUNT_URL: https://myaccount.harness.io
HARNESS_ACCOUNT_ID: my_account_id_9YpRharzPs
HARNESS_ORG_ID: my_org_id_default
HARNESS_PROJECT_ID: example_project_id
HARNESS_API_KEY: ${{ secrets.API_KEY_SAVED_AS_GH_SECRET }}
VAULT_ADDR: ${{ secrets.VAULT_URL }}
TARGET: example_image:latest
VERIFY: true
KMS_KEY: path/to/your/key
Configuration
Make sure to include the required configurations from the Requirements section in your workflow. Below are the specific configurations for the slsa-verification
sub-action.
Key | Value Example | Description | Required |
---|---|---|---|
TARGET | example_image:latest | The target artifact (Docker image) for which SLSA provenance verification is performed. | Yes |
VERIFY | true or false | Boolean flag to determine if verification is required. | Yes |
KMS_KEY | path/to/your/key | Path to the public key used for verifying the attestation. | No |
Sample workflow
Here's a sample workflow using the harness/github-actions/slsa-verification
name: SLSA Provenance Verification Workflow
on:
push:
branches:
- main
jobs:
slsa-verification-job:
runs-on: self-hosted
env:
HARNESS_ACCOUNT_URL: 'https://myaccount.harness.io'
HARNESS_ACCOUNT_ID: '_myaccount_rzPs_JtWT7g'
HARNESS_ORG_ID: 'SCS'
HARNESS_PROJECT_ID: 'SCS_ID'
HARNESS_API_KEY: ${{ secrets.SCS_API_KEY }}
VAULT_ADDR: ${{ secrets.VAULT_URL }}
steps:
# Step 1: Checkout the main repository
- name: Checkout Main Repository
uses: actions/checkout@v3
# Step 2: Log in to Docker Hub
- name: Log in to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
# Step 3: Build and Tag Docker Image
- name: Build and Tag Docker Image
run: |
docker build -t harness/github-service:latest -f ./stable/alpine/Dockerfile .
echo "Docker image built and tagged as harness/github-service:latest."
# Step 4: Push Docker Image to Docker Hub
- name: Push Docker Image
run: |
docker push harness/github-service:latest
echo "Docker image pushed to Docker Hub."
# Step 5: Log in to Vault
- name: Log in to Vault
uses: hashicorp/vault-action@v2
with:
url: ${{ secrets.VAULT_URL }}
method: token
token: ${{ secrets.VAULT_TOKEN }}
# Step 6: Run SLSA Verification
- name: Run SLSA Verification Action
uses: harness/github-actions/slsa-verification
with:
TARGET: 'harness/github-service:latest'
VERIFY: true
KMS_KEY: 'cosign'