Getting Started

Getting started with Cimon is as simple as introducing a single step in the pipeline. You run Cimon whenever you create an artifact you want to create the attestation for.

GitHub Actions

- name: Cimon Attest
  uses: cycodelabs/cimon-action/attest@v0
  with:
    client-id: ${{ secrets.CIMON_CLIENT_ID }}
    secret: ${{ secrets.CIMON_SECRET }}
    subjects: |
      dist/artifact1
      dist/artifact2
    sign-key: private-key.pem

Read more about GitHub Actions integration here.

Azure Pipelines

- task: CimonAttest@0
  inputs:
    clientId: "$(CIMON_CLIENT_ID)"
    secret: "$(CIMON_SECRET)"
    subjects: |
      dist/artifact1
      dist/artifact2
    signKey: private-key.pem

Read more about Azure Pipelines integration here.

Jenkins

stage('Install Cimon') {
    steps {
        sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sudo sh -s -- -b /usr/local/bin'
    }
}

<create artifacts>

stage('Cimon Attest') {
    steps {
        sh """
          cimon attest generate-and-sign \
          --client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
          --subjects "dist/artifact1 dist/artifact2" --key private-key.pem
        """
    }
}

GitLab CI

signed_provenance:
  before_script:
    # Download Cimon
    curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh

  script:
    # Create Artifacts and Generate Key Pair
    ...

    # Cimon Attest
    ./bin/cimon attest generate-and-sign \
      --client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
      --subjects "dist/artifact1 dist/artifact2" --key private-key.pem

  after_script:
    # Print Provenance
    cat provenance.intoto.jsonl

    # Print Signed Provenance
    cat provenance.intoto.jsonl.sig

Read more about Jenkins integration here.

CLI

curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sudo sh -s -- -b /usr/local/bin

<create artifacts>

cimon attest generate-and-sign \
  --client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
  --subjects "dist/artifact1 dist/artifact2" --key private-key.pem

Read more about CLI integration here.

Docker

<create artifacts>

docker run -v $(pwd):/tmp/attest --rm cycodelabs/cimon:v0 attest generate-and-sign \
--client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
--subjects "/tmp/attest/dist/artifact1 /tmp/attest/dist/artifact2" --key /tmp/attest/private-key.pem \
--output-prov "/tmp/attest/provenance.intoto.jsonl" --output-signed-prov "/tmp/attest/provenance.intoto.jsonl.sig"

Similarily to the CLI integration, we also provide docker images for Cimon hosted on Docker Hub.

Cycode Authentication

info

To perform artifact attestation and verification, you must authenticate with Cycode backend.

The Cimon API key consists of two values: client-id and secret, and can be generated from the Cycode service accounts page.

These values should be saved in a secure secret manager titled CIMON_CLIENT_ID and CLIENT_SECRET. For example, this is how it should look in the GitHub Actions secret manager:

Once tokens are installed securely, Cimon can be invoked as follows:

GitHub Actions

- uses: cycodelabs/cimon-action@v0
  with:
    client-id: ${{ secrets.CIMON_CLIENT_ID }}
    secret: ${{ secrets.CIMON_SECRET }}

Azure Pipelines

- uses: Cimon@0
  inputs:
    clientId: $(CIMON_CLIENT_ID)
    secret: $(CIMON_SECRET)

Jenkins

environment {
    CIMON_CLIENT_ID = credentials("cimon-client-id")
    CIMON_SECRET = credentials("cimon-secret")
}

Read More

Dive deeper into Cimon Attest's capabilities by reading the following topics:

• Get started using Cimon Attest in Azure Pipelines.
• Get started using Cimon Attest in GitHub Actions.
• Get started using Cimon Attest in Jenkins.
• Get started using Cimon Attest in GitLab CI.
• Explore the components of the Azure Pipelines provenance document.
• Explore the components of the GitHub Actions provenance document.
• Explore the components of the Jenkins provenance document.
• Explore the components of the GitLab provenance document.
• Understand what signature and verification methods are supported here.