Add support for validating for more GitHub claims in the OIDC identity when verifying OCI repositories #4521

matheuscscp · 2023-12-31T10:59:41Z

matheuscscp
Dec 31, 2023
Maintainer

cosign supports validating lots of claims in the GitHub OIDC token:

    --certificate-github-workflow-name='':
	contains the workflow claim from the GitHub OIDC Identity token that contains the name of the executed workflow.

    --certificate-github-workflow-ref='':
	contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon.

    --certificate-github-workflow-repository='':
	contains the repository claim from the GitHub OIDC Identity token that contains the repository that the workflow run was based upon

    --certificate-github-workflow-sha='':
	contains the sha claim from the GitHub OIDC Identity token that contains the commit SHA that the workflow run was based upon.

    --certificate-github-workflow-trigger='':
	contains the event_name claim from the GitHub OIDC Identity token that contains the name of the event that triggered the workflow run

The cosign verification features currently only support validating the iss and sub claims. In the case of GitHub the sub claim encodes only the GitHub org, repo and workflow environment (docs). Validating the workflow name like --certificate-github-workflow-name does would be great.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for validating for more GitHub claims in the OIDC identity when verifying OCI repositories #4521

{{title}}

Replies: 0 comments

Select a reply

Add support for validating for more GitHub claims in the OIDC identity when verifying OCI repositories #4521

matheuscscp Dec 31, 2023 Maintainer

Replies: 0 comments

matheuscscp
Dec 31, 2023
Maintainer