Getting Started

Getting started with Cimon is as simple as introducing a single step in the pipeline. You run Cimon whenever you create an artifact you want to create the attestation for.

GitHub Actions

- name: Cimon Attest
  uses: cycodelabs/cimon-action/attest@v0
  with:
    client-id: ${{ secrets.CIMON_CLIENT_ID }}
    secret: ${{ secrets.CIMON_SECRET }}
    subjects: |
      dist/artifact1
      dist/artifact2
    sign-key: private-key.pem

Read more about GitHub Actions integration here.

Azure Pipelines

- task: CimonAttest@0
  inputs:
    clientId: "$(CIMON_CLIENT_ID)"
    secret: "$(CIMON_SECRET)"
    subjects: |
      dist/artifact1
      dist/artifact2
    signKey: private-key.pem

Read more about Azure Pipelines integration here.

Jenkins

stage('Install Cimon') {
    steps {
        sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sudo sh -s -- -b /usr/local/bin'
    }
}

<create artifacts>

stage('Cimon Attest') {
    steps {
        sh """
          cimon attest generate-and-sign \
          --client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
          --subjects "dist/artifact1 dist/artifact2" --key private-key.pem
        """
    }
}

GitLab CI

signed_provenance:
  before_script:
    # Download Cimon
    curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh

  script:
    # Create Artifacts and Generate Key Pair
    ...

    # Cimon Attest
    ./bin/cimon attest generate-and-sign \
      --client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
      --subjects "dist/artifact1 dist/artifact2" --key private-key.pem

  after_script:
    # Print Provenance
    cat provenance.intoto.jsonl

    # Print Signed Provenance
    cat provenance.intoto.jsonl.sig

Read more about Jenkins integration here.

Buildkite

steps:
  # Create build artifacts.
  - command:
      - echo artifact > artifact.txt
    artifact_paths:
      - artifact.txt
    label: "Generate artifacts"

  # Downloads artifact
  # Installs Cimon
  # Generates attestation
  - command:
      - buildkite-agent artifact download artifact.txt .
      - openssl genrsa -out private-key.pem 3072
      - curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
      - ./bin/cimon attest generate-and-sign --client-id $(buildkite-agent secret get CIMON_CLIENT_ID) --secret $(buildkite-agent secret get CIMON_SECRET) -k private-key.pem --subjects artifact.txt --report-job-summary
    artifact_paths:
      - provenance.intoto.jsonl
      - provenance.intoto.jsonl.sig
    label: "Generate attestation"

Read more about Buildkite integration here.

Harness

- stage:
  name: Run Cimon Attest
  identified: Run_Cimon_Attest
  type: CI
  spec:
    execution:
      steps:
        - step:
          type: Run
          name: Predefine Environment Variables
          identifier: Predefine_Environment_Variables
          spec:
            shell: Sh
            command: |
              mkdir tmp
              echo artifact123 > /harness/tmp/arifact1
              openssl genrsa -out /harness/private-key.pem 3072
        - step:
          type: Plugin
          name: Run Plugin
          identifier: Run_Plugin
          spec:
            image: cycodelabs/drone-cimon-attest:v0
            settings:
              cimon_client_id: <+secrets.getValue("CIMON_CLIENT_ID")>
              cimon_secret: <+secrets.getValue("CIMON_SECRET")>
              subjects: |
                /harness/tmp/artifact1
              sign_key: /harness/private-key.pem
              signed_provenance_output: /harness/signed_test.jsonl

Read more about Harness integration here.

CLI

curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sudo sh -s -- -b /usr/local/bin

<create artifacts>

cimon attest generate-and-sign \
  --client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
  --subjects "dist/artifact1 dist/artifact2" --key private-key.pem

Read more about CLI integration here.

Docker

<create artifacts>

docker run -v $(pwd):/tmp/attest --rm cycodelabs/cimon:v0 attest generate-and-sign \
--client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
--subjects "/tmp/attest/dist/artifact1 /tmp/attest/dist/artifact2" --key /tmp/attest/private-key.pem \
--output-prov "/tmp/attest/provenance.intoto.jsonl" --output-signed-prov "/tmp/attest/provenance.intoto.jsonl.sig"

Similarily to the CLI integration, we also provide docker images for Cimon hosted on Docker Hub.

Cycode Authentication

info

To perform artifact attestation and verification, you must authenticate with Cycode backend.

The Cimon API key consists of two values: client-id and secret, and can be generated from the Cycode service accounts page.

These values should be saved in a secure secret manager titled CIMON_CLIENT_ID and CLIENT_SECRET. For example, this is how it should look in the GitHub Actions secret manager:

Once tokens are installed securely, Cimon can be invoked as follows:

GitHub Actions

- uses: cycodelabs/cimon-action@v0
  with:
    client-id: ${{ secrets.CIMON_CLIENT_ID }}
    secret: ${{ secrets.CIMON_SECRET }}

Azure Pipelines

- task: Cimon@0
  inputs:
    clientId: $(CIMON_CLIENT_ID)
    secret: $(CIMON_SECRET)

Jenkins

environment {
    CIMON_CLIENT_ID = credentials("cimon-client-id")
    CIMON_SECRET = credentials("cimon-secret")
}

Read More

Dive deeper into Cimon Attest's capabilities by reading the following topics:

• Get started using Cimon Attest in Azure Pipelines.
• Get started using Cimon Attest in GitHub Actions.
• Get started using Cimon Attest in Jenkins.
• Get started using Cimon Attest in GitLab CI.
• Get started using Cimon Attest in Buildkite.
• Get started using Cimon Attest in Harness
• Explore the components of the Azure Pipelines provenance document.
• Explore the components of the GitHub Actions provenance document.
• Explore the components of the Jenkins provenance document.
• Explore the components of the GitLab provenance document.
• Explore the components of the Buildkite provenance document.
• Explore the components of the Harness provenance document.
• Understand what signature and verification methods are supported here.