GitHub Action for creating and registering SCITT statements with Software Trust Manager and DataTrails
This GitHub Action provides the ability to create and sign SCITT statements using code signing keys protected by DigiCert Software Trust Manager and register these statements to a SCITT transparency service operated by DataTrails.
NOTE::
This SCITT GitHub Action is in Preview, pending adoption of the SCITT Reference APIs (SCRAPI).
To use a production supported implementation, please contact DataTrails for more info.
- Generate a keypair and corresponding end-entity certificate in Software Trust Manager
- Create an account at DataTrails and create an access token
- Configure a GitHub SCITT Action, with the following Inputs and Example
Required The payload content type (iana mediaType) to be registered on the SCITT Service (eg: application/spdx+json, application/vnd.cyclonedx+json, Scan Result, Attestation)
Required The CLIENT_ID
used to access the DataTrails SCITT APIs
Required The SECRET
used to access the DataTrails SCITT APIs
Required The payload file to be registered on the SCITT Service (eg: SBOM, Scan Result, Attestation)
Optional Location the content of the payload may be stored.
Optional The filename to save the cbor receipt Default 'receipt.cbor'
Optional A required file representing the signed SCITT Statement that will be registered with the SCITT Transparency Service.
The parameter is optional, as it provides a default file name.
See Signed Statement Issuance and Registration
Default 'signed-statement.cbor'
Optional To skip receipt retrieval, set to 1 Default '0'
Required Unique ID for the collection of statements about an artifact.
For more info, see subject
in the IETF SCITT Terminology.
This action requires secrets containing credentials and keypair information be configured. Specifically, the following secrets are required:
ID of the certificate and keypair protected in Software Trust Manager
The Software Trust Manager API key
The base URI of the Software Trust Manager API
The base-64 encoded PKCS #12 file for client authentication to the Software Trust Manager API
The password for the PKCS #12 file for client authentication to the Software Trust Manager API
The following example shows a minimal implementation. Pre-requisites:
- A DigiCert Software Trust Manager or Key Locker account
- A DataTrails Subscription
- The following GitHub Action Secrets are required:
secrets.DATATRAILS_CLIENT_ID
- See Creating Access Tokens Using a Custom Integrationsecrets.DATATRAILS_SECRET
See abovesecrets.DIGICERT_STM_CERTIFICATE_ID
secrets.DIGICERT_STM_API_BASE_URI
secrets.DIGICERT_STM_API_CLIENTAUTH_P12_PASSWORD
secrets.DIGICERT_STM_API_CLIENTAUTH_P12_B64
secrets.DIGICERT_STM_API_KEY
Sample github digicert-datatrails-scitt-action.yml
name: Register a DigiCert Signed SCITT Statement on DataTrails
on:
workflow_dispatch:
# push:
# branches: [ "main" ]
env:
DATATRAILS_CLIENT_ID: ${{ secrets.DATATRAILS_CLIENT_ID }}
DATATRAILS_SECRET: ${{ secrets.DATATRAILS_SECRET }}
DIGICERT_STM_CERTIFICATE_ID: ${{ secrets.DIGICERT_STM_CERTIFICATE_ID }}
DIGICERT_STM_API_BASE_URI: ${{ secrets.DIGICERT_STM_API_BASE_URI }}
DIGICERT_STM_API_CLIENTAUTH_P12_PASSWORD: ${{ secrets.DIGICERT_STM_API_CLIENTAUTH_P12_PASSWORD }}
DIGICERT_STM_API_CLIENTAUTH_P12_B64: ${{ secrets.DIGICERT_STM_API_CLIENTAUTH_P12_B64 }}
DIGICERT_STM_API_KEY: ${{ secrets.DIGICERT_STM_API_KEY }}
jobs:
build-image-register-DataTrails-SCITT:
runs-on: ubuntu-latest
# Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
permissions:
contents: read
packages: write
steps:
- name: Create buildOutput Directory
run: |
mkdir -p ./buildOutput/
- name: Create Compliance Statement
# A sample compliance file. Replace with an SBOM, in-toto statement, image for content authenticity, ...
run: |
echo '{"author": "fred", "title": "my biography", "reviews": "mixed"}' > ./buildOutput/attestation.json
- name: Upload Attestation
id: upload-attestation
uses: actions/upload-artifact@v4
with:
name: attestation.json
path: ./buildOutput/attestation.json
- name: Sign & Register as a SCITT Signed Statement
# Register the DigiCert Signed Statement with the DataTrails SCITT APIs
id: register-compliance-scitt-signed-statement
uses: digicert/scitt-action@v0.3
with:
content-type: "application/vnd.unknown.attestation+json"
datatrails-client_id: ${{ env.DATATRAILS_CLIENT_ID }}
datatrails-secret: ${{ env.DATATRAILS_SECRET }}
payload-file: "./buildOutput/attestation.json"
payload-location: ${{ steps.upload-attestation.outputs.artifact-url }}
subject: "ghcr.io/${{ github.repository }}:${{ github.sha }}"
skip-receipt: "0"
- name: upload-signed-statement
uses: actions/upload-artifact@v4
with:
name: signed-statement
path: signed-statement.cbor
- name: upload-receipt
uses: actions/upload-artifact@v4
with:
name: receipt
path: receipt.cbor