Skip to content

Supply Chain Security

The repository applies defence-in-depth across source, dependencies, and the published image.

SBOM

A Software Bill of Materials is generated by Trivy from the runtime image in SPDX JSON format and is available in two places:

  • Workflow artifact — downloadable from the GitHub Actions run summary, retained for 90 days
  • Registry attestation — attached to the image digest via Cosign (see below)

Cosign signing

Images are signed using Cosign with keyless signing — no private key is stored anywhere. The signature is produced using the GitHub Actions OIDC token and recorded in the Sigstore transparency log (Rekor).

The signature is stored in GHCR alongside the image as an OCI artifact.

Verify an image

cosign verify \
  --certificate-identity-regexp="https://github.com/<owner>/python-zero-code-demo/.*" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/<owner>/python-zero-code-demo:<tag>

Verify the SBOM attestation

cosign verify-attestation \
  --type spdxjson \
  --certificate-identity-regexp="https://github.com/<owner>/python-zero-code-demo/.*" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/<owner>/python-zero-code-demo:<tag>

Provenance

The docker/build-push-action generates a signed SLSA provenance attestation (provenance: true) and an OCI SBOM (sbom: true) for every pushed image, stored as attestations in GHCR.

Source analysis (CodeQL)

Every push to main and every PR is analysed by CodeQL (codeql.yml) using the security-and-quality query suite. It catches injection flaws, insecure deserialization, and other patterns that linters miss. A weekly scheduled run catches newly published queries. Findings appear in Security → Code scanning.

Repository posture (OSSF Scorecard)

A weekly scorecard.yml workflow evaluates the repo against OSSF Scorecard best practices:

  • Branch protection and required code review
  • Dependency version pinning
  • CI test enforcement
  • Signed releases
  • Token permission hygiene

Results are uploaded to Security → Code scanning and published to the OpenSSF API to power the public scorecard badge.

Dependency Review

Every pull request is checked by actions/dependency-review-action before it can be merged. It compares the dependency graph before and after the PR and blocks merge if any newly introduced package has a known vulnerability.

Vulnerability scanning

Trivy scans the runtime image on every CI run in two passes:

Pass 1 — pipeline gate 

Severity filter : CRITICAL, HIGH
Unfixed only    : yes (ignore vulnerabilities with no available fix)
Exit code       : 1 (blocks the pipeline)

Pass 2 — SARIF upload

Results are exported in SARIF format and uploaded to the repo's Security → Code scanning tab via github/codeql-action/upload-sarif. This provides a persistent, searchable view of image CVEs directly in GitHub, independent of whether the pipeline passed or failed.