- Before you begin
- Set image and service image
- Define CI/CD variables
- Prepare OIDC token
- Prepare the container
- Build and push the image
- Sign the image with Cosign
- Verify the signature and annotations
- Example
.gitlab-ci.yml
configuration
Tutorial: Annotate container images with build provenance data
Annotations provide valuable metadata about the build process. This information is used for auditing and traceability. In a security incident, having detailed provenance data can significantly speed up the investigation and remediation process.
This tutorial describes how to set up a GitLab pipeline to automate the process of building, signing, and annotating container images by using Cosign.
You can configure your .gitlab-ci.yml
file to build, push, and sign a Docker image, and push it to the GitLab container registry.
To annotate container images:
- Set an image and service image.
- Define CI/CD variables.
- Prepare the OIDC token.
- Prepare the container.
- Build and push the image.
- Sign the image with Cosign.
- Verify the signature and annotations.
When you put it all together, your .gitlab-ci.yml
should look similar to the sample configuration provided at the end of this tutorial.
Before you begin
You must have:
- Cosign v2.0 or later installed.
- For self-managed GitLab instances, the GitLab container registry configured with a metadata database to display signatures.
Set image and service image
In the .gitlab-ci.yml
file, use the docker:latest
image and enable Docker-in-Docker service to allow Docker commands to run in the CI/CD job.
build_and_sign:
stage: build
image: docker:latest
services:
- docker:dind # Enable Docker-in-Docker service to allow Docker commands inside the container
Define CI/CD variables
Define variables for the image tag and URI using GitLab CI/CD predefined variables.
variables:
IMAGE_TAG: $CI_COMMIT_SHORT_SHA # Use the commit short SHA as the image tag
IMAGE_URI: $CI_REGISTRY_IMAGE:$IMAGE_TAG # Construct the full image URI with the registry, project path, and tag
COSIGN_YES: "true" # Automatically confirm actions in Cosign without user interaction
FF_SCRIPT_SECTIONS: "true" # Enables GitLab's CI script sections for better multi-line script output
Prepare OIDC token
Set up an OIDC token for keyless signing with Cosign.
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore # Provide an OIDC token for keyless signing with Cosign
Prepare the container
In the before_script
section of the .gitlab-ci.yml
file:
- Install Cosign and jq (for JSON processing):
apk add --no-cache cosign jq
- Enable GitLab container registry login using a CI/CD job token:
docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
The pipeline starts by setting up the necessary environment.
Build and push the image
In the script
section of the .gitlab-ci.yml
file, enter the following commands to build the Docker image and push it to the GitLab container registry.
- docker build --pull -t "$IMAGE_URI" .
- docker push "$IMAGE_URI"
This command creates the image using the current directory’s Dockerfile and pushes it to the registry.
Sign the image with Cosign
After building and pushing the image to the GitLab container registry, use Cosign to sign it.
In the script
section of the .gitlab-ci.yml
file, enter the following commands:
- IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE_URI")
- |
cosign sign "$IMAGE_DIGEST" \
--annotations "com.gitlab.ci.user.name=$GITLAB_USER_NAME" \
--annotations "com.gitlab.ci.pipeline.id=$CI_PIPELINE_ID" \
# ... (other annotations) ...
--annotations "tag=$IMAGE_TAG"
This step retrieves the image digest. It then uses Cosign to sign the image, and adds several annotations.
Verify the signature and annotations
After signing the image, it’s crucial to verify the signature and the annotations added.
In the .gitlab-ci.yml
file, include a verification step using the cosign verify
command:
- |
cosign verify \
--annotations "tag=$IMAGE_TAG" \
--certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/heads/$CI_COMMIT_REF_NAME" \
--certificate-oidc-issuer "$CI_SERVER_URL" \
"$IMAGE_URI" | jq .
The verification step ensures that the provenance data attached to the image is correct, and was not tampered with.
The cosign verify
command verifies the signature and checks the annotations. The output shows all the annotations
you’ve added to the image during the signing process.
In the output, you can see all annotations added earlier, including:
- GitLab user name
- Pipeline ID and URL
- Job ID and URL
- Commit SHA and reference name
- Project path
- Image source and revision
By verifying these annotations, you can ensure that the image’s provenance data is intact and matches what you expect based on your build process.
Example .gitlab-ci.yml
configuration
When you follow all the steps mentioned above, your .gitlab-ci.yml
should look similar to this:
stages:
- build
build_and_sign:
stage: build
image: docker:latest
services:
- docker:dind # Enable Docker-in-Docker service to allow Docker commands inside the container
variables:
IMAGE_TAG: $CI_COMMIT_SHORT_SHA # Use the commit short SHA as the image tag
IMAGE_URI: $CI_REGISTRY_IMAGE:$IMAGE_TAG # Construct the full image URI with the registry, project path, and tag
COSIGN_YES: "true" # Automatically confirm actions in Cosign without user interaction
FF_SCRIPT_SECTIONS: "true" # Enables GitLab's CI script sections for better multi-line script output
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore # Provide an OIDC token for keyless signing with Cosign
before_script:
- apk add --no-cache cosign jq # Install Cosign (mandatory) and jq (optional)
- docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" "$CI_REGISTRY" # Log in to the Docker registry using GitLab CI token
script:
# Build the Docker image using the specified tag and push it to the registry
- docker build --pull -t "$IMAGE_URI" .
- docker push "$IMAGE_URI"
# Retrieve the digest of the pushed image to use in the signing step
- IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE_URI")
# Sign the image using Cosign with annotations that provide metadata about the build and tag annotation to allow verifying
# the tag->digest mapping (https://github.com/sigstore/cosign?tab=readme-ov-file#tag-signing)
- |
cosign sign "$IMAGE_DIGEST" \
--annotations "com.gitlab.ci.user.name=$GITLAB_USER_NAME" \
--annotations "com.gitlab.ci.pipeline.id=$CI_PIPELINE_ID" \
--annotations "com.gitlab.ci.pipeline.url=$CI_PIPELINE_URL" \
--annotations "com.gitlab.ci.job.id=$CI_JOB_ID" \
--annotations "com.gitlab.ci.job.url=$CI_JOB_URL" \
--annotations "com.gitlab.ci.commit.sha=$CI_COMMIT_SHA" \
--annotations "com.gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME" \
--annotations "com.gitlab.ci.project.path=$CI_PROJECT_PATH" \
--annotations "org.opencontainers.image.source=$CI_PROJECT_URL" \
--annotations "org.opencontainers.image.revision=$CI_COMMIT_SHA" \
--annotations "tag=$IMAGE_TAG"
# Verify the image signature using Cosign to ensure it matches the expected annotations and certificate identity
- |
cosign verify \
--annotations "tag=$IMAGE_TAG" \
--certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/heads/$CI_COMMIT_REF_NAME" \
--certificate-oidc-issuer "$CI_SERVER_URL" \
"$IMAGE_URI" | jq . # Use jq to format the verification output for easier readability