cosign
Cosign container image signing in a Dagger module
Installation
dagger install github.com/puzzle/dagger-module-cosign/cosign@v0.1.1Entrypoint
Return Type
CosignExample
dagger -m github.com/puzzle/dagger-module-cosign/cosign@ed23741b9d2aa1fd68e705261814d607ed935b15 call \
func (m *myModule) example() *Cosign {
return dag.
Cosign()
}@function
def example() -> dag.Cosign:
return (
dag.cosign()
)@func()
example(): Cosign {
return dag
.cosign()
}Types
Cosign 🔗
Cosign represents the cosign Dagger module type
sign() 🔗
Sign will run cosign sign from the image, as defined by the cosignImage parameter, to sign the given Container image digest
See https://edu.chainguard.dev/open-source/sigstore/cosign/an-introduction-to-cosign/
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| privateKey | Secret ! | - | Cosign private key |
| password | Secret ! | - | Cosign password |
| registryUsername | String | - | registry username |
| registryPassword | Secret | - | registry password |
| dockerConfig | File | - | Docker config |
| cosignImage | String | "chainguard/cosign:latest" | Cosign container image |
| cosignUser | String | "nonroot" | Cosign container image user |
| digest | String ! | - | Container image digest to sign |
Example
dagger -m github.com/puzzle/dagger-module-cosign/cosign@ed23741b9d2aa1fd68e705261814d607ed935b15 call \
sign --private-key env:MYSECRET --password env:MYSECRET --digest stringfunc (m *myModule) example(ctx context.Context, privateKey *Secret, password *Secret, digest string) string {
return dag.
Cosign().
Sign(ctx, privateKey, password, digest)
}@function
async def example(private_key: dagger.Secret, password: dagger.Secret, digest: str) -> str:
return await (
dag.cosign()
.sign(private_key, password, digest)
)@func()
async example(privateKey: Secret, password: Secret, digest: string): Promise<string> {
return dag
.cosign()
.sign(privateKey, password, digest)
}signKeyless() 🔗
SignKeyless will run cosign sign (keyless) from the image, as defined by the cosignImage parameter, to sign the given Container image digest
See https://edu.chainguard.dev/open-source/sigstore/cosign/an-introduction-to-cosign/
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| registryUsername | String | - | registry username |
| registryPassword | Secret | - | registry password |
| dockerConfig | File | - | Docker config |
| cosignImage | String | "chainguard/cosign:latest" | Cosign container image |
| cosignUser | String | "nonroot" | Cosign container image user |
| digest | String ! | - | Container image digest to sign |
Example
dagger -m github.com/puzzle/dagger-module-cosign/cosign@ed23741b9d2aa1fd68e705261814d607ed935b15 call \
sign-keyless --digest stringfunc (m *myModule) example(ctx context.Context, digest string) string {
return dag.
Cosign().
SignKeyless(ctxdigest)
}@function
async def example(digest: str) -> str:
return await (
dag.cosign()
.sign_keyless(digest)
)@func()
async example(digest: string): Promise<string> {
return dag
.cosign()
.signKeyless(digest)
}attest() 🔗
Attest will run cosign attest from the image, as defined by the cosignImage parameter, to attest the SBOM of the given Container image digest
See https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| privateKey | Secret ! | - | Cosign private key |
| password | Secret ! | - | Cosign password |
| registryUsername | String | - | registry username |
| registryPassword | Secret | - | registry password |
| dockerConfig | File | - | Docker config |
| cosignImage | String | "chainguard/cosign:latest" | Cosign container image |
| cosignUser | String | "nonroot" | Cosign container image user |
| digest | String ! | - | Container image digest to attest |
| predicate | File ! | - | SBOM file |
| sbomType | String | "spdxjson" | SBOM type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI |
Example
dagger -m github.com/puzzle/dagger-module-cosign/cosign@ed23741b9d2aa1fd68e705261814d607ed935b15 call \
attest --private-key env:MYSECRET --password env:MYSECRET --digest string --predicate file:pathfunc (m *myModule) example(ctx context.Context, privateKey *Secret, password *Secret, digest string, predicate *File) string {
return dag.
Cosign().
Attest(ctx, privateKey, password, digest, predicate)
}@function
async def example(private_key: dagger.Secret, password: dagger.Secret, digest: str, predicate: dagger.File) -> str:
return await (
dag.cosign()
.attest(private_key, password, digest, predicate)
)@func()
async example(privateKey: Secret, password: Secret, digest: string, predicate: File): Promise<string> {
return dag
.cosign()
.attest(privateKey, password, digest, predicate)
}attestKeyless() 🔗
AttestKeyless will run cosign attest (keyless) from the image, as defined by the cosignImage parameter, to attest the SBOM of the given Container image digest
See https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| registryUsername | String | - | registry username |
| registryPassword | Secret | - | registry password |
| dockerConfig | File | - | Docker config |
| cosignImage | String | "chainguard/cosign:latest" | Cosign container image |
| cosignUser | String | "nonroot" | Cosign container image user |
| digest | String ! | - | Container image digest to attest |
| predicate | File ! | - | SBOM file |
| sbomType | String | "spdxjson" | SBOM type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI |
Example
dagger -m github.com/puzzle/dagger-module-cosign/cosign@ed23741b9d2aa1fd68e705261814d607ed935b15 call \
attest-keyless --digest string --predicate file:pathfunc (m *myModule) example(ctx context.Context, digest string, predicate *File) string {
return dag.
Cosign().
AttestKeyless(ctxdigest, predicate)
}@function
async def example(digest: str, predicate: dagger.File) -> str:
return await (
dag.cosign()
.attest_keyless(digest, predicate)
)@func()
async example(digest: string, predicate: File): Promise<string> {
return dag
.cosign()
.attestKeyless(digest, predicate)
}clean() 🔗
Clean will run cosign clean from the image, as defined by the cosignImage parameter, to clean the defined types of the given Container image digest
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| registryUsername | String | - | registry username |
| registryPassword | Secret | - | registry password |
| cosignImage | String | "chainguard/cosign:latest" | Cosign container image |
| cosignUser | String | "nonroot" | Cosign container image user |
| digest | String ! | - | Container image digest to clean |
| cleanType | String | "all" | Clean type (signature|attestation|all) |
Example
dagger -m github.com/puzzle/dagger-module-cosign/cosign@ed23741b9d2aa1fd68e705261814d607ed935b15 call \
clean --digest stringfunc (m *myModule) example(ctx context.Context, digest string) string {
return dag.
Cosign().
Clean(ctxdigest)
}@function
async def example(digest: str) -> str:
return await (
dag.cosign()
.clean(digest)
)@func()
async example(digest: string): Promise<string> {
return dag
.cosign()
.clean(digest)
}