Harness
Cimon Attest
Cimon supports using both a dedicated Harness plugin, or running it in a self-hosted runner via the CLI. The recommended method would be via the extension, this way instead of using different stages, the provenance can be generated in one simple step as part of a broader stage in your pipeline. The extension follows Harness' way of incorporating plugins, via the following docker image: cycodelabs/drone-cimon-attest
Example Usage
To integrate Cimon in your CI, edit your desired workflow as needed and add a plugin step once you've created the desired artifacts.
You can attest for any artifact, as long as they have a unique SHA256 digest.
- Unsigned
- Signed with Key Pair
- stage:
name: Run Cimon Attest
identified: Run_Cimon_Attest
type: CI
spec:
execution:
steps:
- step:
type: Run
name: Predefine Environment Variables
identifier: Predefine_Environment_Variables
spec:
shell: Sh
command: |
mkdir tmp
echo artifact123 > /harness/tmp/arifact1
- step:
type: Plugin
name: Run Plugin
identifier: Run_Plugin
spec:
image: cycodelabs/drone-cimon-attest:v0
settings:
cimon_client_id: <+secrets.getValue("CIMON_CLIENT_ID")>
cimon_secret: <+secrets.getValue("CIMON_SECRET")>
subjects: |
/harness/tmp/artifact1
provenance_output: /harness/test.jsonl
Explanation:
- step:
type: Run
name: Predefine Environment Variables
identifier: Predefine_Environment_Variables
spec:
shell: Sh
command: |
mkdir tmp
echo artifact123 > /harness/tmp/arifact1
Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.
The /harness folder is a shared folder supplied by the pipeline for every stage, thus it can be used across steps.
- step:
type: Plugin
name: Run Plugin
identifier: Run_Plugin
spec:
image: cycodelabs/drone-cimon-attest:v0
settings:
cimon_client_id: <+secrets.getValue("CIMON_CLIENT_ID")>
cimon_secret: <+secrets.getValue("CIMON_SECRET")>
subjects: |
/harness/tmp/artifact1
provenance_output: /harness/test.jsonl
Using the Plugin parameter in the type field, specifies to the Harness platform that this workflow step involved an external extension to be used by the pipeline. Since Harness runs plugins in a dedicated container, parameters need to be passed via the settings field. In this case:
- Credentials are provided using Harness' secrets manager
- subjects and provenance_output provide the location of the artifacts and the output location of the provenance respectively. These correspond to the CLI paramters. Further information on the supported parameters passed to the plugin can be found in the plugin parameters section.
- stage:
name: Run Cimon Attest
identified: Run_Cimon_Attest
type: CI
spec:
execution:
steps:
- step:
type: Run
name: Predefine Environment Variables
identifier: Predefine_Environment_Variables
spec:
shell: Sh
command: |
mkdir tmp
echo artifact123 > /harness/tmp/arifact1
openssl genrsa -out /harness/private-key.pem 3072
- step:
type: Plugin
name: Run Plugin
identifier: Run_Plugin
spec:
image: cycodelabs/drone-cimon-attest:v0
settings:
cimon_client_id: <+secrets.getValue("CIMON_CLIENT_ID")>
cimon_secret: <+secrets.getValue("CIMON_SECRET")>
subjects: |
/harness/tmp/artifact1
sign_key: /harness/private-key.pem
signed_provenance_output: /harness/signed_test.jsonl
Explanation:
- step:
type: Run
name: Predefine Environment Variables
identifier: Predefine_Environment_Variables
spec:
shell: Sh
command: |
mkdir tmp
echo artifact123 > /harness/tmp/arifact1
openssl genrsa -out /harness/private-key.pem 3072
Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.
Creating a signature key is build-specific, and we just used a stub key for the process demonstration.
The /harness folder is a shared folder supplied by the pipeline for every stage, thus it can be used across steps.
- step:
type: Plugin
name: Run Plugin
identifier: Run_Plugin
spec:
image: cycodelabs/drone-cimon-attest:v0
settings:
cimon_client_id: <+secrets.getValue("CIMON_CLIENT_ID")>
cimon_secret: <+secrets.getValue("CIMON_SECRET")>
subjects: |
/harness/tmp/artifact1
sign_key: /harness/private-key.pem
signed_provenance_output: /harness/signed_test.jsonl
Using the Plugin parameter in the type field, specifies to the Harness platform that this workflow step involved an external extension to be used by the pipeline. Since Harness runs plugins in a dedicated container, parameters need to be passed via the settings field. In this case:
- Credentials are provided using Harness' secrets manager
- subjects and signed_provenance_output provide the location of the artifacts and the output location of the provenance respectively. These correspond to the CLI paramters. Further information on the supported parameters passed to the plugin can be found in the plugin parameters section.
Plugin Parameters
| Name | Default | |
|---|---|---|
cimon_client_id | Cimon client ID for authentication | |
cimon_secret | Cimon secret for authentication | |
url | Cimon endpoint for authentication | |
subjects | A white space seperated list of paths, or base64-encoded subjects. Each path can be file, directory or image reference | |
sign_key | Input path to a private ECDSA/RSA/ED25519 key used to sign provenance statement. Can be an absolute path or a relative path to the working directory | |
provenance_output | provenance.intoto.jsonl | Provenance output path. Can be an absolute path or a relative path to the working directory |
signed_provenance_output | provenance.intoto.jsonl.sig | Signed provenance output path. Can be an absolute path or a relative path to the working directory |