Skip to content

DAT-21009: Add Supply Chain Security to Liquibase Secure Docker Images #485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jandroav wants to merge 1 commit into
base: main
Choose a base branch
from
Open

DAT-21009: Add Supply Chain Security to Liquibase Secure Docker Images #485

jandroav wants to merge 1 commit into from

Conversation

@jandroav
Copy link
Contributor

@jandroav jandroav commented Dec 10, 2025

Summary

Adds supply chain security features to Liquibase Secure Docker images for SLSA Level 3 compliance:

  • SBOM generation - Software Bill of Materials attached to images
  • Build provenance - Cryptographic attestation of build process
  • Cosign signing - Keyless image signing via GitHub OIDC

Changes

  • .github/workflows/create-release.yml - Add SBOM, provenance, and Cosign signing for secure images only
  • README.md - Add "Verifying Secure Images" documentation section

Key Details

  • All features apply only to liquibase-secure-release (Community images unchanged)
  • Uses keyless signing with GitHub OIDC (no private keys stored)
  • Signs images on all registries (Docker Hub, GHCR, ECR) based on push flags
  • Skips signing during dry-run mode

Verification Commands

# Verify signature
cosign verify liquibase/liquibase-secure:latest \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity-regexp="https://github.com/liquibase/docker/.*"

# View SBOM
docker buildx imagetools inspect liquibase/liquibase-secure:latest --format '{{ json .SBOM }}'

# View provenance
docker buildx imagetools inspect liquibase/liquibase-secure:latest --format '{{ json .Provenance }}'

🤖 Generated with Claude Code

@jandroav @claude
DAT-21009: Add Supply Chain Security to Liquibase Secure Docker Images
ad9649a 
Add SBOM generation, SLSA Level 3 provenance attestation, and Cosign
keyless image signing for Liquibase Secure Docker images only.

Changes:
- Add SBOM and provenance to docker/build-push-action for secure images
- Install Cosign and sign images on Docker Hub, GHCR, and ECR
- Add "Verifying Secure Images" documentation to README.md

Community images remain unchanged.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@coderabbitai
Copy link

coderabbitai bot commented Dec 10, 2025
edited
Loading

📝 Walkthrough

Walkthrough

This PR implements supply chain security features for Liquibase Secure Docker images by enabling SBOM generation and provenance attestation in the build process, adding Cosign-based keyless image signing for Docker Hub, GHCR, and ECR, and documenting verification procedures in the README.

Changes

Cohort / File(s) Summary
CI/CD Supply Chain Security
.github/workflows/create-release.yml		 Adds Cosign installation step, enables SBOM and provenance generation in docker/build-push-action, and introduces three new Cosign signing steps (Docker Hub, GHCR, ECR) that sign images using GitHub OIDC keyless authentication after successful push operations. Changes are gated to liquibase-secure-release workflow variant.
Documentation
README.md		 Adds new "Verifying Secure Images" section documenting supply chain security features specific to Liquibase Secure images, including instructions for verifying image signatures with Cosign, viewing SBOM, and viewing build provenance via image tooling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–25 minutes

  • Verify proper conditional gating ensures signing only applies to liquibase-secure-release variant and when registry push flags are enabled
  • Confirm Cosign signing steps use correct image digest references from preceding build/push steps
  • Validate COSIGN_EXPERIMENTAL: 1 environment variable is correctly set for keyless GitHub OIDC signing across all three signing steps
  • Ensure signing operations occur after image push completion to avoid timing issues with registry availability

Suggested reviewers

  • jnewton03
  • sayaliM0412

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title directly and accurately summarizes the main change: adding supply chain security features (SBOM, provenance, Cosign signing) to Liquibase Secure Docker images.
Description check ✅ Passed The description provides comprehensive details about the supply chain security features being added, explains which images are affected, and includes verification commands, all directly related to the changeset.
Linked Issues check ✅ Passed The PR fulfills the core requirements from DAT-21009: enables SBOM and provenance in build-push-action, adds Cosign installation and keyless signing steps, implements registry-specific signing, and updates README with verification documentation.
Out of Scope Changes check ✅ Passed All changes are directly scoped to the objectives in DAT-21009: workflow modifications for SBOM/provenance/signing for liquibase-secure-release only, and README documentation updates for verification. No unrelated or extraneous changes detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch DAT-21009

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 10, 2025
View reviewed changes
.github/workflows/create-release.yml
# Install Cosign for keyless image signing (Secure images only)
- name: Install Cosign
if: ${{ matrix.type == 'liquibase-secure-release' }}
uses: sigstore/cosign-installer@v3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Release Extension (v2)' step
Uses Step
Loading
uses 'sigstore/cosign-installer' with ref 'v3', not a pinned commit hash
Copilot AI reviewed Dec 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds comprehensive supply chain security features to Liquibase Secure Docker images to achieve SLSA Level 3 compliance. The implementation includes SBOM generation, build provenance attestations, and keyless image signing using Cosign with GitHub OIDC, ensuring image authenticity and transparency without storing private keys.

Key changes:

  • Supply chain security features (SBOM, provenance, Cosign signing) for secure images only
  • Keyless signing via GitHub OIDC across all registries (Docker Hub, GHCR, ECR)
  • Comprehensive documentation for verifying image authenticity and viewing attestations

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/create-release.yml Adds Cosign installation, SBOM/provenance generation in build step, and registry-specific signing steps with proper conditionals for secure images only
README.md Adds "Verifying Secure Images" section with command examples for signature verification, SBOM inspection, and provenance viewing

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

coderabbitai[bot]
coderabbitai bot reviewed Dec 10, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/create-release.yml (1)

369-369: Critical: Fix typo in AWS credentials reference.

Line 369 and 380 have a typo: steps.configure-aws-credentials-prodoutputs should be steps.configure-aws-credentials-prod.outputs (missing dot after prod).

Apply this diff to fix the typo:

- password: ${{ steps.configure-aws-credentials-prodoutputs.aws_secret_access_key }}
+ password: ${{ steps.configure-aws-credentials-prod.outputs.aws_secret_access_key }}

Also applies to: 380-380

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5bc25cb and ad9649a.

📒 Files selected for processing (2)
  • .github/workflows/create-release.yml (4 hunks)
  • README.md (1 hunks)
🧰 Additional context used
🧠 Learnings (13)
📓 Common learnings 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Secure Liquibase versions should be sourced from repo.liquibase.com and controlled via `LIQUIBASE_PRO_VERSION` ARG

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Applied to files:

  • .github/workflows/create-release.yml
  • README.md
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Applied to files:

  • .github/workflows/create-release.yml
  • README.md
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Applied to files:

  • .github/workflows/create-release.yml
  • README.md
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Secure Liquibase versions should be sourced from repo.liquibase.com and controlled via `LIQUIBASE_PRO_VERSION` ARG

Applied to files:

  • .github/workflows/create-release.yml
  • README.md
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Applied to files:

  • .github/workflows/create-release.yml
  • README.md
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Applied to files:

  • .github/workflows/create-release.yml
  • README.md
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Applied to files:

  • .github/workflows/create-release.yml
  • README.md
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Applied to files:

  • .github/workflows/create-release.yml
  • README.md
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : LPM (Liquibase Package Manager) version should be specified via `LPM_VERSION` ARG in all Dockerfiles

Applied to files:

  • .github/workflows/create-release.yml
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Applied to files:

  • .github/workflows/create-release.yml
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Applied to files:

  • .github/workflows/create-release.yml
  • README.md
📚 Learning: 2025-11-24T16:48:37.150Z 
Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Applied to files:

  • README.md
🪛 GitHub Check: CodeQL
.github/workflows/create-release.yml

[warning] 322-322: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Extension (v2)' step Uses Step uses 'sigstore/cosign-installer' with ref 'v3', not a pinned commit hash

🔇 Additional comments (4)
.github/workflows/create-release.yml (3)

451-453: SBOM and provenance configuration is correct.

The conditional SBOM and provenance settings properly apply only to liquibase-secure-release images. The provenance mode is set to max for comprehensive SLSA Level 3 compliance.

475-495: Cosign signing steps are properly gated and structured.

The three signing steps (Docker Hub, GHCR, ECR) correctly target only secure releases, respect dry-run flags, and use the digest from the build-and-push step. Assuming the COSIGN_EXPERIMENTAL environment variable is added, the implementation aligns with keyless signing requirements.

Please verify that keyless signing operates correctly with the GitHub OIDC token available in GitHub Actions, once the missing environment variable is added.

475-495: Remove recommendation to add COSIGN_EXPERIMENTAL environment variable — it is obsolete.

As of Cosign 2.0, the COSIGN_EXPERIMENTAL=1 environment variable is no longer required for keyless signing. Keyless signing via GitHub OIDC is enabled by default in modern Cosign releases. The current workflow configuration is correct and does not need modification on this front.

If keyless signing fails at runtime, the issue would be due to missing id-token: write permissions in the job/workflow configuration, not the absence of COSIGN_EXPERIMENTAL.

Likely an incorrect or invalid review comment.

README.md (1)

244-276: Excellent documentation for supply chain security verification.

The new "Verifying Secure Images" section (lines 244-276) is well-structured and provides clear, actionable instructions for verifying image signatures, inspecting SBOMs, and viewing build provenance. The explanation of keyless signing via GitHub OIDC is concise, and the emphasis that these features apply only to Secure images prevents user confusion.

.github/workflows/create-release.yml
# Install Cosign for keyless image signing (Secure images only)
- name: Install Cosign
if: ${{ matrix.type == 'liquibase-secure-release' }}
uses: sigstore/cosign-installer@v3
Copy link

@coderabbitai coderabbitai bot Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

sigstore cosign-installer GitHub releases v3 commit hash

💡 Result:

Do you mean a specific v3.x release (e.g., v3.10.1, v3.9.2)? The releases page shows each v3 tag with its commit short hash (for example: v3.10.1 → 7e8b541, v3.10.0 → d7543c9, v3.9.2 → d58896d). Which exact tag do you need the full commit SHA for? (github.com)

Citations:

🏁 Script executed:

# Check for other uses of this action in the repository
rg "cosign-installer" --type yaml

Repository: liquibase/docker

Length of output: 42

🌐 Web query:

sigstore cosign-installer v3.10.1 latest release commit hash github

💡 Result:

The v3.10.1 release points to commit 7e8b541. [1][2]

Sources:
[1] sigstore/cosign-installer release v3.10.1 (GitHub).
[2] sigstore/cosign-installer commit 7e8b541 (GitHub).

🌐 Web query:

site:github.com/sigstore/cosign-installer releases v3

💡 Result:

I searched the repo. Key results:

  • cosign-installer releases page on GitHub (Releases listing). [1]
  • README in sigstore/cosign-installer showing example use with cosign v3 (example uses cosign-release: 'v3.0.2'). [2]

Sources:
[1] https://github.com/sigstore/cosign-installer/releases
[2] https://github.com/sigstore/cosign-installer (README)

🌐 Web query:

sigstore/cosign-installer commit 7e8b541 full SHA

💡 Result:

I couldn't find that commit hash with the info given. Do you mean the GitHub repo sigstore/cosign-installer on GitHub and the commit prefix 7e8b541 on branch main (or another branch/tag)? If so I can search GitHub directly — confirm the repo/branch and I'll return the full SHA.

🌐 Web query:

"sigstore/cosign-installer" "v3.10.1" full commit SHA github

💡 Result:

The full commit SHA for sigstore/cosign-installer tag v3.10.1 is 7e8b541eb2e61bf99390e1afd4be13a184e9ebc5. [1][2]

Sources:
[1] GitHub release v3.10.1 (sigstore/cosign-installer).
[2] Commit patch for 7e8b541 (shows full SHA).

Pin Cosign installer action to a commit hash.

The sigstore/cosign-installer@v3 action uses a floating tag instead of a commit hash, weakening supply chain security guarantees. Pin to the full commit SHA of the latest v3 release: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 (v3.10.1).

🧰 Tools
🪛 GitHub Check: CodeQL

[warning] 322-322: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Extension (v2)' step Uses Step uses 'sigstore/cosign-installer' with ref 'v3', not a pinned commit hash

🤖 Prompt for AI Agents 
.github/workflows/create-release.yml around line 322: the workflow references
sigstore/cosign-installer@v3 (a floating tag); update the action reference to
the provided pinned commit SHA by replacing sigstore/cosign-installer@v3 with
sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 (v3.10.1) so
the workflow uses the exact commit; commit the change and rerun CI to ensure the
workflow executes correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@jnewton03 jnewton03 Awaiting requested review from jnewton03

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jandroav