Skip to content

v0.18.1

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 24 Jun 13:52
v0.18.1
6823d77
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Docker images

Pull the matching ghcr.io tag:

docker pull ghcr.io/cloudfieldcz/shieldoo-gate:0.18.1
docker pull ghcr.io/cloudfieldcz/scanner-bridge:0.18.1

Image pages:

shdg CLI

Push-from-CI client. Pre-built for Linux, macOS, and Windows:

OS Arch Archive
Linux x86_64 shdg-0.18.1-linux-amd64.tar.gz
Linux aarch64 shdg-0.18.1-linux-arm64.tar.gz
macOS Intel shdg-0.18.1-darwin-amd64.tar.gz
macOS Apple Silicon shdg-0.18.1-darwin-arm64.tar.gz
Windows x86_64 shdg-0.18.1-windows-amd64.zip

shdg version reports 0.18.1 to match the Docker tag.
Verify archive integrity with SHA256SUMS (also attached).

Supply-chain security

All artifacts are signed and carry SLSA build provenance (keyless, via GitHub OIDC + Sigstore).

  • Images — cosign signature + SLSA provenance + CycloneDX SBOM attached as OCI referrers: 
    cosign verify ghcr.io/cloudfieldcz/shieldoo-gate:0.18.1 \
  --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com
gh attestation verify oci://ghcr.io/cloudfieldcz/shieldoo-gate:0.18.1 --repo cloudfieldcz/shieldoo-gate
  • shdg binaries — SLSA provenance: gh attestation verify shdg-0.18.1-linux-amd64.tar.gz --repo cloudfieldcz/shieldoo-gate
  • Detached signatures — each archive and SHA256SUMS also ships a keyless *.sig + *.pem cert (recognised by OpenSSF Scorecard): 
    cosign verify-blob \
  --signature shdg-0.18.1-linux-amd64.tar.gz.sig \
  --certificate shdg-0.18.1-linux-amd64.tar.gz.pem \
  --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com shdg-0.18.1-linux-amd64.tar.gz
    The same provenance is also attached as shdg-0.18.1.intoto.jsonl.
  • SBOMs — the CycloneDX SBOMs dogfooded through the gate are attached (*.cdx.json) with a detached cosign bundle (*.cdx.json.cosign.bundle): 
    cosign verify-blob --bundle sbom-gate.cdx.json.cosign.bundle \
  --certificate-identity-regexp 'https://github.com/cloudfieldcz/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com sbom-gate.cdx.json

Changes (v0.18.0…v0.18.1)

  • fix(release): force cosign legacy detached format for .sig assets (#77) (6823d77)
  • ci(release): publish Scorecard-readable signature + provenance assets (#76) (1c5b710)
  • docs: cross-check documentation against source code (#75) (6f268fe)
Assets 31
Loading