From 8fe6cda7a8f0dfd637ba31d87f90a1d3b11219ce Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Thu, 12 Dec 2024 12:10:11 +0100
Subject: [PATCH 01/24] chainloop demo Signed-off-by: Daniel Liszka
 <daniel@chainloop.dev>

---
 .chainloop.yml                                | 11 +++
 .../chainloop-demo-build-container-image.yml  | 91 +++++++++++++++++++
 Dockerfile                                    | 15 +++
 3 files changed, 117 insertions(+)
 create mode 100644 .chainloop.yml
 create mode 100644 .github/workflows/chainloop-demo-build-container-image.yml
 create mode 100644 Dockerfile

diff --git a/.chainloop.yml b/.chainloop.yml
new file mode 100644
index 00000000000..1c82b7e8532
--- /dev/null
+++ b/.chainloop.yml
@@ -0,0 +1,11 @@
+# defines files to be added to the attestation
+petclinic:
+  - name: jar
+    path: artifacts/spring-petclinic-*.jar
+  - name: jar-sbom
+    path: ./metadata/sbom.cyclonedx.json
+petclinic_container_image:
+  - name: image-sbom
+    path: ./metadata/image.sbom.cyclonedx.json
+  - name: image
+    path: ghcr.io/danlishka/spring-petclinic-demo:latest
diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
new file mode 100644
index 00000000000..991b6fad812
--- /dev/null
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -0,0 +1,91 @@
+name: Chainloop Demo Build Container Image
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  chainloop_init:
+    runs-on: ubuntu-latest
+    outputs:
+      att_id: ${{ steps.att_init.outputs.att_id }}
+      version: ${{ steps.att_init.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://docs.chainloop.dev/install.sh | bash -s
+      - name: Initialize Attestation
+        id: att_init
+        run: |
+          VERSION=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)
+          att_id=$(chainloop attestation init --workflow build-container-image --project demo-spring-petclinic --contract demo-spring-petclinic --version "$VERSION" --remote-state -o json | jq -r .attestationID)
+          echo "att_id=$att_id" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+        env:
+          CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN}}
+
+  build_container:
+    runs-on: ubuntu-latest
+    env:
+      CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
+      ATTESTATION_ID: ${{ needs.chainloop_init.outputs.att_id }}
+      VERSION: ${{ needs.chainloop_init.outputs.version }}
+
+    needs: chainloop_init
+    strategy:
+      matrix:
+        java: [ '17' ]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK ${{matrix.java}}
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{matrix.java}}
+          distribution: 'adopt'
+          cache: maven
+      - name: Install dependencies and tools.
+        run: |
+          mkdir -p metadata
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
+      - name: Docker login to Github Packages
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build the jar file and generate SBOM.
+        run: |
+          chainloop attestation init --workflow build-container-image-jar --project demo-spring-petclinic  --contract demo-spring-petclinic --version ${{ env.VERSION }}
+
+          ./mvnw -B -Dmaven.test.skip=true clean package
+          syft packages -o cyclonedx-json=./metadata/jar.sbom.cyclonedx.json target/spring-petclinic-*.jar
+
+          chainloop attestation add --name jar --value target/*.jar
+          chainloop attestation add --name jar-sbom --value ./metadata/jar.sbom.cyclonedx.json
+
+          chainloop attestation push
+
+      - name: Build a container image push to Github Packages.
+        run: |
+          docker build -t ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest .
+          docker push ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
+          syft packages -o cyclonedx-json=./metadata/image.sbom.cyclonedx.json docker:ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
+
+      - name: Chainloop Attestation for the container image (using remote state, requires attestation id).
+        run: |
+          chainloop att add --name image --value ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest --attestation-id ${{ env.ATTESTATION_ID }} --remote-state
+          chainloop att add --name image-sbom --value ./metadata/image.sbom.cyclonedx.json --attestation-id ${{ env.ATTESTATION_ID }} --remote-state
+          chainloop att push --attestation-id ${{ env.ATTESTATION_ID }} --remote-state
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: artifacts
+          path: target/*.jar
+      - uses: actions/upload-artifact@v4
+        with:
+          name: metadata
+          path: metadata/*
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 00000000000..893b19f5416
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,15 @@
+FROM bellsoft/liberica-runtime-container:jdk-21-stream-musl as builder
+WORKDIR /home/app
+COPY target/*.jar .
+
+FROM bellsoft/liberica-runtime-container:jdk-21-stream-musl as optimizer
+WORKDIR /home/app
+COPY --from=builder /home/app/*.jar petclinic.jar
+RUN java -Djarmode=layertools -jar petclinic.jar extract
+
+FROM bellsoft/liberica-runtime-container:jre-21-stream-musl
+ENTRYPOINT ["java", "org.springframework.boot.loader.launch.JarLauncher"]
+COPY --from=optimizer /home/app/dependencies/ ./
+COPY --from=optimizer /home/app/spring-boot-loader/ ./
+COPY --from=optimizer /home/app/snapshot-dependencies/ ./
+COPY --from=optimizer /home/app/application/ ./

From a9318bc3a5df8e68262014ae3046b28c910eb4b1 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Tue, 17 Dec 2024 23:54:51 +0100
Subject: [PATCH 02/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .chainloop.yml                                        | 11 -----------
 .../chainloop-demo-build-container-image.yml          |  3 ++-
 2 files changed, 2 insertions(+), 12 deletions(-)
 delete mode 100644 .chainloop.yml

diff --git a/.chainloop.yml b/.chainloop.yml
deleted file mode 100644
index 1c82b7e8532..00000000000
--- a/.chainloop.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-# defines files to be added to the attestation
-petclinic:
-  - name: jar
-    path: artifacts/spring-petclinic-*.jar
-  - name: jar-sbom
-    path: ./metadata/sbom.cyclonedx.json
-petclinic_container_image:
-  - name: image-sbom
-    path: ./metadata/image.sbom.cyclonedx.json
-  - name: image
-    path: ghcr.io/danlishka/spring-petclinic-demo:latest
diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 991b6fad812..468c8e2f51a 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -32,7 +32,8 @@ jobs:
       CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
       ATTESTATION_ID: ${{ needs.chainloop_init.outputs.att_id }}
       VERSION: ${{ needs.chainloop_init.outputs.version }}
-
+    permissions:
+      packages: write
     needs: chainloop_init
     strategy:
       matrix:

From 3a62ac4cc7e0651448a0be1f60ebd4d58d6dbcb1 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 00:10:27 +0100
Subject: [PATCH 03/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 468c8e2f51a..6605ecc600b 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -1,4 +1,4 @@
-name: Chainloop Demo Build Container Image
+name: Demo Spring Petclinic - Build Container Image
 on:
   push:
     branches: [ main ]

From 8e80326c8b49f370645a77bf79bccaca16a29b96 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 00:14:48 +0100
Subject: [PATCH 04/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 6605ecc600b..724ed102c31 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -76,7 +76,7 @@ jobs:
           docker push ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
           syft packages -o cyclonedx-json=./metadata/image.sbom.cyclonedx.json docker:ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
 
-      - name: Chainloop Attestation for the container image (using remote state, requires attestation id).
+      - name: Chainloop Attestation for the whole action and the container image (using remote state, requires attestation id).
         run: |
           chainloop att add --name image --value ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest --attestation-id ${{ env.ATTESTATION_ID }} --remote-state
           chainloop att add --name image-sbom --value ./metadata/image.sbom.cyclonedx.json --attestation-id ${{ env.ATTESTATION_ID }} --remote-state

From ed2b71da04da07fefd856bb38f6f8e7243ba4ad6 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 00:19:49 +0100
Subject: [PATCH 05/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 724ed102c31..c46a7846d89 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Install Chainloop
         run: |
-          curl -sfL https://docs.chainloop.dev/install.sh | bash -s
+          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
       - name: Initialize Attestation
         id: att_init
         run: |

From 2c49064a3c632a1a698c18d5ef9eb4dcc2aeb5bc Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 01:16:29 +0100
Subject: [PATCH 06/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-test.yml | 40 +++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/chainloop-demo-test.yml

diff --git a/.github/workflows/chainloop-demo-test.yml b/.github/workflows/chainloop-demo-test.yml
new file mode 100644
index 00000000000..8f5c4c5a830
--- /dev/null
+++ b/.github/workflows/chainloop-demo-test.yml
@@ -0,0 +1,40 @@
+name: Demo Spring Petclinic - Testing
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    env:
+      CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
+    strategy:
+      matrix:
+        java: [ '17' ]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK ${{matrix.java}}
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{matrix.java}}
+          distribution: 'adopt'
+          cache: maven
+      - name: Install dependencies and tools.
+        run: |
+          mkdir -p metadata
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
+
+      - name: Build the jar file and generate SBOM.
+        run: |
+          VERSION=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)
+          chainloop attestation init --workflow test --project demo-spring-petclinic  --contract demo-spring-petclinic --version "$VERSION"
+
+          ./mvnw clean verify jacoco:report > target/test.log 2>&1
+
+          chainloop attestation add --name test-log --value ./target/test.log
+          chainloop attestation add --name test-report --value target/site/jacoco/jacoco.xml
+
+          chainloop attestation push

From 55f15a9dfe02dd1dbfb2467c7311626106242b7c Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 01:20:52 +0100
Subject: [PATCH 07/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-test.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/chainloop-demo-test.yml b/.github/workflows/chainloop-demo-test.yml
index 8f5c4c5a830..9e4c0148653 100644
--- a/.github/workflows/chainloop-demo-test.yml
+++ b/.github/workflows/chainloop-demo-test.yml
@@ -32,9 +32,9 @@ jobs:
           VERSION=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)
           chainloop attestation init --workflow test --project demo-spring-petclinic  --contract demo-spring-petclinic --version "$VERSION"
 
-          ./mvnw clean verify jacoco:report > target/test.log 2>&1
+          ./mvnw clean verify jacoco:report > test.log 2>&1
 
-          chainloop attestation add --name test-log --value ./target/test.log
+          chainloop attestation add --name test-log --value ./test.log
           chainloop attestation add --name test-report --value target/site/jacoco/jacoco.xml
 
           chainloop attestation push

From 62fba70f5fd6c42d0ca02c4e9c3bf270eacba52c Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 01:25:54 +0100
Subject: [PATCH 08/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-test.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-test.yml b/.github/workflows/chainloop-demo-test.yml
index 9e4c0148653..3fcf2ddb23e 100644
--- a/.github/workflows/chainloop-demo-test.yml
+++ b/.github/workflows/chainloop-demo-test.yml
@@ -33,7 +33,6 @@ jobs:
           chainloop attestation init --workflow test --project demo-spring-petclinic  --contract demo-spring-petclinic --version "$VERSION"
 
           ./mvnw clean verify jacoco:report > test.log 2>&1
-
           chainloop attestation add --name test-log --value ./test.log
           chainloop attestation add --name test-report --value target/site/jacoco/jacoco.xml
 

From f4837bb3fd3ce7972ac45feb12c980294ffe14d1 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 09:34:23 +0100
Subject: [PATCH 09/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .../chainloop-demo-build-container-image.yml  | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index c46a7846d89..11a53f8cc66 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -51,6 +51,7 @@ jobs:
           mkdir -p metadata
           curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
           curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
       - name: Docker login to Github Packages
         uses: docker/login-action@v3
         with:
@@ -82,6 +83,22 @@ jobs:
           chainloop att add --name image-sbom --value ./metadata/image.sbom.cyclonedx.json --attestation-id ${{ env.ATTESTATION_ID }} --remote-state
           chainloop att push --attestation-id ${{ env.ATTESTATION_ID }} --remote-state
 
+      - name: Vulnerabilities Scan for the JAR file
+        run: |
+          chainloop attestation init --workflow vulnerabilities_scan_jar --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
+          trivy rootfs target/*.jar --format json -o ./metadata/cve-scan-report-jar.json
+          chainloop att add --name --name jar --value target/*.jar
+          chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-jar.json
+          chainloop att push
+
+      - name: Vulnerabilities Scan for the container image
+        run: |
+          chainloop attestation init --workflow vulnerabilities_scan_image --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
+          trivy image ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest --format json -o ./metadata/cve-scan-report-image.json
+          chainloop att add --name image --value ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
+          chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-image.json
+          chainloop att push
+
       - uses: actions/upload-artifact@v4
         with:
           name: artifacts
@@ -89,4 +106,4 @@ jobs:
       - uses: actions/upload-artifact@v4
         with:
           name: metadata
-          path: metadata/*
+          path: metadata/*
\ No newline at end of file

From 082ee65ea511b001d92fa46b2c3d7b16bd48d204 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 11:12:58 +0100
Subject: [PATCH 10/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 11a53f8cc66..eb5b28903f6 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -85,7 +85,7 @@ jobs:
 
       - name: Vulnerabilities Scan for the JAR file
         run: |
-          chainloop attestation init --workflow vulnerabilities_scan_jar --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
+          chainloop attestation init --workflow vulnerabilities-scan-jar --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
           trivy rootfs target/*.jar --format json -o ./metadata/cve-scan-report-jar.json
           chainloop att add --name --name jar --value target/*.jar
           chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-jar.json
@@ -93,7 +93,7 @@ jobs:
 
       - name: Vulnerabilities Scan for the container image
         run: |
-          chainloop attestation init --workflow vulnerabilities_scan_image --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
+          chainloop attestation init --workflow vulnerabilities-scan-image --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
           trivy image ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest --format json -o ./metadata/cve-scan-report-image.json
           chainloop att add --name image --value ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
           chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-image.json

From d05d2778c97557b3bbcdb6be9f2b905778adb05c Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 11:29:30 +0100
Subject: [PATCH 11/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index eb5b28903f6..589a02da5e0 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -87,7 +87,7 @@ jobs:
         run: |
           chainloop attestation init --workflow vulnerabilities-scan-jar --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
           trivy rootfs target/*.jar --format json -o ./metadata/cve-scan-report-jar.json
-          chainloop att add --name --name jar --value target/*.jar
+          chainloop att add --name jar --value target/*.jar
           chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-jar.json
           chainloop att push
 

From 5c7ed7b75fc27c8d70b63ca69fab436639e827f8 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 13:49:30 +0100
Subject: [PATCH 12/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 589a02da5e0..4e9a78312f4 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -52,6 +52,8 @@ jobs:
           curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
           curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2.5.0
       - name: Docker login to Github Packages
         uses: docker/login-action@v3
         with:
@@ -75,7 +77,11 @@ jobs:
         run: |
           docker build -t ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest .
           docker push ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
+          cosign sign --key=env://COSIGN_PRIVATE_KEY ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
           syft packages -o cyclonedx-json=./metadata/image.sbom.cyclonedx.json docker:ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
 
       - name: Chainloop Attestation for the whole action and the container image (using remote state, requires attestation id).
         run: |

From 481bfb831026f200b282a57f14a49c115ea6f60b Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 18 Dec 2024 15:00:57 +0100
Subject: [PATCH 13/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 4e9a78312f4..7b968f9e63f 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -112,4 +112,4 @@ jobs:
       - uses: actions/upload-artifact@v4
         with:
           name: metadata
-          path: metadata/*
\ No newline at end of file
+          path: metadata/*

From 9fc19bba21b306a20cce433d118f9b6b4a169ea9 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Thu, 19 Dec 2024 13:57:18 +0100
Subject: [PATCH 14/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 7b968f9e63f..5bbd52a42d9 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -77,7 +77,7 @@ jobs:
         run: |
           docker build -t ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest .
           docker push ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
-          cosign sign --key=env://COSIGN_PRIVATE_KEY ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
+          # cosign sign --key=env://COSIGN_PRIVATE_KEY ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
           syft packages -o cyclonedx-json=./metadata/image.sbom.cyclonedx.json docker:ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
         env:
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}

From 81d0f14a29d70127d0082509c33c94a3ef78c1bb Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Thu, 19 Dec 2024 16:31:48 +0100
Subject: [PATCH 15/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 5bbd52a42d9..40072c63990 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -4,7 +4,6 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
-
 jobs:
   chainloop_init:
     runs-on: ubuntu-latest

From 7c7b2da5ef0c5d023989b12fd3b16235d33bf7f5 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Thu, 19 Dec 2024 16:57:29 +0100
Subject: [PATCH 16/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 40072c63990..5bbd52a42d9 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -4,6 +4,7 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+
 jobs:
   chainloop_init:
     runs-on: ubuntu-latest

From 93ece926329f9358bddb49c39332ba198b0df2a4 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Thu, 19 Dec 2024 22:29:38 +0100
Subject: [PATCH 17/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 5bbd52a42d9..ef1a401164d 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -92,7 +92,7 @@ jobs:
       - name: Vulnerabilities Scan for the JAR file
         run: |
           chainloop attestation init --workflow vulnerabilities-scan-jar --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
-          trivy rootfs target/*.jar --format json -o ./metadata/cve-scan-report-jar.json
+          trivy rootfs target/*.jar --format sarif -o ./metadata/cve-scan-report-jar.sarif
           chainloop att add --name jar --value target/*.jar
           chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-jar.json
           chainloop att push
@@ -100,7 +100,7 @@ jobs:
       - name: Vulnerabilities Scan for the container image
         run: |
           chainloop attestation init --workflow vulnerabilities-scan-image --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
-          trivy image ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest --format json -o ./metadata/cve-scan-report-image.json
+          trivy image ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest --format sarif -o ./metadata/cve-scan-report-image.sarif
           chainloop att add --name image --value ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
           chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-image.json
           chainloop att push

From 1bd876de15b5cdca52dd6cb7cbf557d8b2a176ca Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Thu, 19 Dec 2024 23:20:28 +0100
Subject: [PATCH 18/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index ef1a401164d..57a2209eb29 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -94,7 +94,7 @@ jobs:
           chainloop attestation init --workflow vulnerabilities-scan-jar --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
           trivy rootfs target/*.jar --format sarif -o ./metadata/cve-scan-report-jar.sarif
           chainloop att add --name jar --value target/*.jar
-          chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-jar.json
+          chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-jar.sarif
           chainloop att push
 
       - name: Vulnerabilities Scan for the container image
@@ -102,7 +102,7 @@ jobs:
           chainloop attestation init --workflow vulnerabilities-scan-image --project demo-spring-petclinic --contract demo-spring-petclinic --version ${{ env.VERSION }}
           trivy image ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest --format sarif -o ./metadata/cve-scan-report-image.sarif
           chainloop att add --name image --value ghcr.io/${{ github.repository }}/spring-petclinic-demo:latest
-          chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-image.json
+          chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-image.sarif
           chainloop att push
 
       - uses: actions/upload-artifact@v4

From 074707e0e4eca0bfafd5caebc35838447a6a9229 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Tue, 7 Jan 2025 15:52:19 +0100
Subject: [PATCH 19/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-test.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-test.yml b/.github/workflows/chainloop-demo-test.yml
index 3fcf2ddb23e..c192ba49522 100644
--- a/.github/workflows/chainloop-demo-test.yml
+++ b/.github/workflows/chainloop-demo-test.yml
@@ -4,7 +4,6 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
-
 jobs:
   test:
     runs-on: ubuntu-latest

From 7a9c396358486e17cfaf4aaa0a6fe340dcd408b1 Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 8 Jan 2025 10:45:54 +0100
Subject: [PATCH 20/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/chainloop-demo-test.yml b/.github/workflows/chainloop-demo-test.yml
index c192ba49522..b4819750d1b 100644
--- a/.github/workflows/chainloop-demo-test.yml
+++ b/.github/workflows/chainloop-demo-test.yml
@@ -36,3 +36,4 @@ jobs:
           chainloop attestation add --name test-report --value target/site/jacoco/jacoco.xml
 
           chainloop attestation push
+

From d7089ca049b71e4717520d078e1a7d115461901e Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Sat, 11 Jan 2025 22:02:36 +0100
Subject: [PATCH 21/24] chainloop demo

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 57a2209eb29..0554179a78c 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -4,7 +4,6 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
-
 jobs:
   chainloop_init:
     runs-on: ubuntu-latest
@@ -95,6 +94,7 @@ jobs:
           trivy rootfs target/*.jar --format sarif -o ./metadata/cve-scan-report-jar.sarif
           chainloop att add --name jar --value target/*.jar
           chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-jar.sarif
+
           chainloop att push
 
       - name: Vulnerabilities Scan for the container image

From 721c12a4e0b82e417940a2d277ff62393cb1f25f Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 14 May 2025 23:14:16 +0200
Subject: [PATCH 22/24] process policy violations

---
 .github/workflows/chainloop-demo-build-container-image.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 0554179a78c..d93703f0735 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -94,7 +94,10 @@ jobs:
           trivy rootfs target/*.jar --format sarif -o ./metadata/cve-scan-report-jar.sarif
           chainloop att add --name jar --value target/*.jar
           chainloop att add --name cve-scan-report --value ./metadata/cve-scan-report-jar.sarif
-
+          if [ $(chainloop att status -o json | jq .hasPolicyViolations) == "true" ]; then
+            echo "Policy Violations found for the JAR file"
+            exit 1
+          fi
           chainloop att push
 
       - name: Vulnerabilities Scan for the container image

From 7c495914074a5652172aa9d2bc9f970f5550022f Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Wed, 14 May 2025 23:24:02 +0200
Subject: [PATCH 23/24] update install.sh references

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 4 ++--
 .github/workflows/chainloop-demo-test.yml                  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index d93703f0735..035c1b3ff69 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Install Chainloop
         run: |
-          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
+          curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
       - name: Initialize Attestation
         id: att_init
         run: |
@@ -49,7 +49,7 @@ jobs:
         run: |
           mkdir -p metadata
           curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
-          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
+          curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
       - name: Install cosign
         uses: sigstore/cosign-installer@v2.5.0
diff --git a/.github/workflows/chainloop-demo-test.yml b/.github/workflows/chainloop-demo-test.yml
index b4819750d1b..3765f23a1a6 100644
--- a/.github/workflows/chainloop-demo-test.yml
+++ b/.github/workflows/chainloop-demo-test.yml
@@ -24,7 +24,7 @@ jobs:
         run: |
           mkdir -p metadata
           curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
-          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
+          curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
 
       - name: Build the jar file and generate SBOM.
         run: |

From c06ebf0f8c36d36940db0f75926ad959cb33f5cc Mon Sep 17 00:00:00 2001
From: Daniel Liszka <daniel@chainloop.dev>
Date: Thu, 15 May 2025 12:22:22 +0200
Subject: [PATCH 24/24] update install.sh references

Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
---
 .github/workflows/chainloop-demo-build-container-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/chainloop-demo-build-container-image.yml b/.github/workflows/chainloop-demo-build-container-image.yml
index 035c1b3ff69..aba3445dd7f 100644
--- a/.github/workflows/chainloop-demo-build-container-image.yml
+++ b/.github/workflows/chainloop-demo-build-container-image.yml
@@ -115,4 +115,4 @@ jobs:
       - uses: actions/upload-artifact@v4
         with:
           name: metadata
-          path: metadata/*
+          path: metadata/*
\ No newline at end of file