feat: add output caps, tests, docs

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

cmd/cosign/cli/dockerfile.go

@@ -112,11 +112,15 @@ func dockerfileResolve() *cobra.Command {
 	o := &options.ResolveDockerfileOptions{}
 
 	cmd := &cobra.Command{
-		Use:     "resolve",
-		Short:   "",
-		Long:    ``,
-		Example: ``,
-		Args:    cobra.ExactArgs(1),
+		Use:   "resolve",
+		Short: "Resolve the digest of the images and rewrites them with fully qualified image reference",
+		Long:  ``,
+		Example: `  cosign dockerfile resolve Dockerfile
+		
+		# specify output file
+		cosign dockerfile resolve -o Dockerfile.edited Dockerfile
+`,
+		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			v := &dockerfile.ResolveDockerfileCommand{
 				Output: o.Output,

cmd/cosign/cli/dockerfile/resolve.go

@@ -1,3 +1,17 @@
+// Copyright 2021 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package dockerfile
 
 import (
@@ -6,12 +20,13 @@ import (
 	"context"
 	"flag"
 	"fmt"
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/sigstore/cosign/pkg/oci/remote"
 	"io"
 	"os"
 	"strings"
 
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/sigstore/cosign/pkg/oci/remote"
+
 	"github.com/pkg/errors"
 )
 
@@ -38,7 +53,11 @@ func (c *ResolveDockerfileCommand) Exec(ctx context.Context, args []string) erro
 		return fmt.Errorf("failed extracting images from Dockerfile: %w", err)
 	}
 
-	fmt.Fprintln(os.Stderr, string(resolvedDockerfile))
+	if c.Output != "" {
+		_ = os.WriteFile(c.Output, resolvedDockerfile, 0600)
+	} else {
+		_, _ = fmt.Fprintln(os.Stdout, string(resolvedDockerfile))
+	}
 
 	return nil
 }

cmd/cosign/cli/dockerfile/resolve_test.go

@@ -1,3 +1,17 @@
+// Copyright 2021 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package dockerfile
 
 import (

cmd/cosign/cli/dockerfile/verify.go

@@ -67,7 +67,6 @@ func getImagesFromDockerfile(dockerfile io.Reader) ([]string, error) {
 	fileScanner := bufio.NewScanner(dockerfile)
 	for fileScanner.Scan() {
 		line := strings.TrimSpace(fileScanner.Text())
-		// what about the COPY --from=image:tag cases?
 		if strings.HasPrefix(strings.ToUpper(line), "FROM") {
 			switch image := getImageFromLine(line); image {
 			case "scratch":

cmd/cosign/cli/options/dockerfile.go

@@ -1,10 +1,25 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package options
 
 import (
 	"github.com/spf13/cobra"
 )
 
-// ResolveDockerfileOptions is the top level wrapper for the `verify blob` command.
+// ResolveDockerfileOptions is the top level wrapper for the `dockerfile resolve` command.
 type ResolveDockerfileOptions struct {
 	Output string
 }
@@ -13,6 +28,6 @@ var _ Interface = (*ResolveDockerfileOptions)(nil)
 
 // AddFlags implements Interface
 func (o *ResolveDockerfileOptions) AddFlags(cmd *cobra.Command) {
-	cmd.Flags().StringVar(&o.Output, "output", "",
-		"output an updated Dockerfile to file")
-}
+	cmd.Flags().StringVarP(&o.Output, "output", "o",
+		"", "output an updated Dockerfile to file")
+}

test/e2e_test.sh

@@ -49,11 +49,17 @@ go test -tags=e2e -race ./...
 # Test `cosign dockerfile verify`
 export DISTROLESS_PUB_KEY=distroless.pub
 wget -O ${DISTROLESS_PUB_KEY} https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub
+
 ./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/single_stage.Dockerfile
 if (./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/unsigned_build_stage.Dockerfile); then false; fi
 ./cosign dockerfile verify --base-image-only --key ${DISTROLESS_PUB_KEY} ./test/testdata/unsigned_build_stage.Dockerfile
 ./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/fancy_from.Dockerfile
 test_image="gcr.io/distroless/base" ./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/with_arg.Dockerfile
+
+# Test dockerfile resolve and verify
+./cosign dockerfile resolve -o ./test/testdata/fancy_from.Dockerfile.resolved ./test/testdata/fancy_from.Dockerfile
+./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/fancy_from.Dockerfile.resolved
+
 # Image exists, but is unsigned
 if (test_image="ubuntu" ./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/with_arg.Dockerfile); then false; fi
 ./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/with_lowercase.Dockerfile