Skip to content

Improve pipeline-security artifact integrity evidence#2000

Open
tiandashu wants to merge 1 commit into
UnitOneAI:mainfrom
tiandashu:improve/pipeline-artifact-integrity
Open

Improve pipeline-security artifact integrity evidence#2000
tiandashu wants to merge 1 commit into
UnitOneAI:mainfrom
tiandashu:improve/pipeline-artifact-integrity

Conversation

@tiandashu

@tiandashu tiandashu commented Jun 8, 2026

Copy link
Copy Markdown

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: pipeline-security
Skill path: skills/devsecops/pipeline-security/

What Was Wrong

The skill evaluated CICD-SEC-9 by checking whether signatures, provenance, SBOMs, and digest pinning exist, but it did not require evidence that these controls are bound to the same artifact and enforced before deployment.

That can over-credit pipelines that generate attestations while deployments still pull mutable tags or skip verification.

Closes #1824.

What This PR Fixes

  • Adds CICD-SEC-9 artifact integrity evidence requirements.
  • Requires artifact, build run, digest, signature/attestation, signing identity, provenance subject, SBOM subject, verification command/policy, and deployment reference.
  • Adds a dedicated artifact integrity evidence table and review checklist.
  • Adds an Evidence field to detailed findings so reports preserve control-specific proof.
  • Adds common pitfalls for generated-but-not-enforced attestations, mutable deploy references, mixed artifact evidence, unverified signing identity, and multi-architecture mismatch.
  • Adds vulnerable and benign test cases for the new gate.

Evidence

Before (skill misses this / false positive on this):

- run: cosign sign --yes ghcr.io/example/api:${{ github.sha }}
- run: syft ghcr.io/example/api:${{ github.sha }} -o spdx-json > sbom.json
- run: kubectl set image deploy/api api=ghcr.io/example/api:latest

The pipeline generates signature/SBOM evidence, but deployment uses a mutable tag that is not verified.

After (now correctly handled):

CICD-SEC-9 now requires the deployed artifact digest to match the signature, provenance subject, SBOM subject, verification step/admission policy, and deployment reference.

Test Cases Added/Updated

  • Added vulnerable test cases (tests/vulnerable/)
  • Added benign test cases (tests/benign/)
  • Existing tests still pass

Bounty Tier

  • Minor ($50) — Doc update, small logic tweak, typo fix
  • Moderate ($100) — New edge case coverage, FP reduction with evidence
  • Substantial ($150) — Rewritten detection logic, major coverage expansion

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: Crypto or PayPal details can be provided privately after maintainer acceptance.

Validation

  • git diff --check
  • Frontmatter check equivalent to .github/workflows/lint-skills.yml: passed for 50 files
  • Prompt injection scan equivalent to .github/workflows/injection-scan.yml: passed
  • Index file existence check equivalent to .github/workflows/validate-index.yml: passed for 50 entries

@tiandashu tiandashu mentioned this pull request Jun 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] pipeline-security: add artifact integrity evidence gates

1 participant

@tiandashu