Skip to content

Feature/lab8#906

Open
LegendIU wants to merge 2 commits into
inno-devops-labs:mainfrom
LegendIU:feature/lab8
Open

Feature/lab8#906
LegendIU wants to merge 2 commits into
inno-devops-labs:mainfrom
LegendIU:feature/lab8

Conversation

@LegendIU
Copy link
Copy Markdown

@LegendIU LegendIU commented May 18, 2026

Summary

This PR adds my Lab 8 submission for Software Supply Chain Security.

The lab demonstrates a local container image signing workflow using Cosign, including image signing, signature verification, tag tampering detection, SBOM and provenance attestations, attestation payload inspection, and non-container artifact signing.

What was completed

Task 1 — Local Registry, Signing, Verification, and Tamper Demo

  • Pulled bkimminich/juice-shop:v19.0.0
  • Pushed the image to a local registry at localhost:5000
  • Resolved and signed the local registry image by digest
  • Verified the image signature with the Cosign public key
  • Demonstrated tag tampering by replacing the juice-shop:v19.0.0 tag with busybox:latest
  • Confirmed that verification fails for the tampered digest
  • Confirmed that the original signed digest still verifies successfully

Task 2 — SBOM and Provenance Attestations

  • Generated a Syft SBOM for the Juice Shop image
  • Converted the SBOM to CycloneDX JSON
  • Attached and verified a CycloneDX SBOM attestation
  • Decoded and inspected the SBOM attestation payload
  • Created a simple SLSA provenance predicate
  • Used my university email as the provenance builder identifier
  • Attached and verified the provenance attestation
  • Decoded and inspected the provenance attestation payload

Task 3 — Artifact / Blob Signing

  • Created a sample non-container artifact as a tarball
  • Signed the artifact using cosign sign-blob
  • Verified the blob signature using the generated bundle and public key

Evidence

Main submission file:

  • labs/submission8.md

Task evidence is stored under:

  • labs/lab8/analysis/
  • labs/lab8/attest/
  • labs/lab8/artifacts/
  • labs/lab4/syft/

Security note

The private Cosign key is excluded from version control through .gitignore. Only logs, reports, attestations, public evidence, and generated lab artifacts are included in this PR.

Checklist

  • Task 1 — Local registry, signing, verification, and tamper demo
  • Task 2 — SBOM and provenance attestations with payload inspection
  • Task 3 — Artifact/blob signing
  • labs/submission8.md added
  • Evidence files committed
  • Private Cosign key not committed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LegendIU