feat(integration): guacsec/guac integration #211

migmartri · 2023-06-27T16:56:38Z

Integration that allows Chainloop users to automatically send attestation (DSSE envelopes / in-toto statements) and CycloneDX/SPDX Software Bill Of Materials (SBOMs) to a staging area in the form of a cloud storage bucket. GUAC then can be configured to continuously monitor and inject the data in that bucket.

See this Readme for more information.

Currently, Guac only support Google Cloud Storage (GCS) as blob storage backend. So this patch only implements this provider although leaves the API open to other providers in the future.

Discovery

The plugin is now available in the system

$ chainloop integration available ls        
┌──────────────────┬─────────┬─────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────────────────┐
│ ID               │ VERSION │ MATERIAL REQUIREMENT                │ DESCRIPTION                                                                                    │
├──────────────────┼─────────┼─────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────┤
│ dependency-track │ 1.2     │ SBOM_CYCLONEDX_JSON                 │ Send CycloneDX SBOMs to your Dependency-Track instance                                         │
├──────────────────┼─────────┼─────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────┤
│ smtp             │ 1.0     │                                     │ Send emails with information about a received attestation                                      │
├──────────────────┼─────────┼─────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────┤
│ oci-registry     │ 1.0     │                                     │ Send attestations to a compatible OCI registry                                                 │
├──────────────────┼─────────┼─────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────┤
│ discord-webhook  │ 1.1     │                                     │ Send attestations to Discord                                                                   │
├──────────────────┼─────────┼─────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────┤
│ guac             │ 1.0     │ SBOM_CYCLONEDX_JSON, SBOM_SPDX_JSON │ Export Attestation and SBOMs metadata to a blob storage backend so guacsec/guac can consume it │
└──────────────────┴─────────┴─────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────────┘

And it's definition can be retrieved showing that today it sends both SBOM types

$ chainloop integration available describe --id guac
┌──────┬─────────┬─────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────────────────┐
│ ID   │ VERSION │ MATERIAL REQUIREMENT                │ DESCRIPTION                                                                                    │
├──────┼─────────┼─────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────┤
│ guac │ 1.0     │ SBOM_CYCLONEDX_JSON, SBOM_SPDX_JSON │ Export Attestation and SBOMs metadata to a blob storage backend so guacsec/guac can consume it │
└──────┴─────────┴─────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────┐
│ Registration inputs                                                        │
├─────────────┬────────┬──────────┬──────────────────────────────────────────┤
│ FIELD       │ TYPE   │ REQUIRED │ DESCRIPTION                              │
├─────────────┼────────┼──────────┼──────────────────────────────────────────┤
│ bucket      │ string │ yes      │ Bucket name where to store the artifacts │
│ credentials │ string │ yes      │ Credentials to access the bucket         │
│ provider    │ string │ no       │ Blob storage provider: default gcs       │
└─────────────┴────────┴──────────┴──────────────────────────────────────────┘

Registration

Registration by providing a bucket and service account credentials, provider can be sent as well although by default the only option we have now is gcs.

$ chainloop integration registered add guac --opt bucket=test-guac --opt credentials="$(cat /service-account-devel.json)"
┌──────────────────────────────────────┬─────────────┬──────┬───────────────────┬─────────────────────┐
│ ID                                   │ DESCRIPTION │ KIND │ CONFIG            │ CREATED AT          │
├──────────────────────────────────────┼─────────────┼──────┼───────────────────┼─────────────────────┤
│ d19dabf0-d6dd-4f00-91c0-eed209454d05 │             │ guac │ bucket: test-guac │ 28 Jun 23 14:23 UTC │
│                                      │             │      │ provider: gcs     │                     │
└──────────────────────────────────────┴─────────────┴──────┴───────────────────┴─────────────────────┘

Attachment

It does not require any options

$ chainloop integration attached add --workflow 5e34b34f-882c-48b8-84c0-4f238e15a5fd --integration d19dabf0-d6dd-4f00-91c0-eed209454d05

┌──────────────────────────────────────┬──────┬───────────────────┬─────────────────────┬───────────────┐
│ ID                                   │ KIND │ CONFIG            │ ATTACHED AT         │ WORKFLOW      │
├──────────────────────────────────────┼──────┼───────────────────┼─────────────────────┼───────────────┤
│ 405b3c39-8654-4a3e-b048-d8e618d9c813 │ guac │ bucket: test-guac │ 28 Jun 23 14:24 UTC │ foo/only-sbom │
│                                      │      │ provider: gcs     │                     │               │
└──────────────────────────────────────┴──────┴───────────────────┴─────────────────────┴───────────────┘

Execution

SBOMs and DSSE envelopes will be uploaded named after their content digest to prevent file collisions under the chainloop path.
Such files will contain additional metadata for traceability later on.

Demo

Closes #209

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

app/controlplane/internal/dispatcher/dispatcher.go

app/controlplane/plugins/core/guac/v1/README.md

app/controlplane/plugins/core/guac/v1/guac.go

app/controlplane/plugins/core/guac/v1/README.md

app/controlplane/plugins/core/guac/v1/guac.go

migmartri · 2023-06-28T21:23:41Z

Great review @danlishka! I'll tackle most of your comments! Stay tuned!

Thanks!

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

app/controlplane/plugins/core/discord-webhook/v1/README.md

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

danlishka

LGTM!

feat(integration): guac GCP integration

68e6bae

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

migmartri force-pushed the guac-plugin branch from 938c446 to 68e6bae Compare June 28, 2023 13:29

feat: add tests

f838b11

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

migmartri changed the title ~~feat(integration): guac GCP integration~~ feat(integration): guacsec/guac integration Jun 28, 2023

migmartri requested a review from danlishka June 28, 2023 14:31

migmartri marked this pull request as ready for review June 28, 2023 14:31

feat: update docs

d92f2de

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

migmartri mentioned this pull request Jun 28, 2023

feat(collector): expose Google Cloud Storage collector from guacone CLI guacsec/guac#989

Merged

6 tasks