Address third-round review on workflows + SECURITY.md

ericwout-overheid · claude · ericwout-overheid · commit 5d8305db0cc7 · 2026-05-05T09:46:37.000Z
Critical:
- release-sign: verify cosign sign-blob outputs are non-empty before
  upload — cosign exits 0 on partial writes, which would otherwise ship
  a zero-byte .sig/.pem to a published release.

Important:
- release-sign: verify dispatched tag both exists on origin and has a
  published release before signing; refuse to sign arbitrary refs from
  workflow_dispatch.
- release-sign: refuse to clobber existing signed assets on re-run.
  --clobber silently overwrote them; now fails loudly with a copy-paste
  cleanup hint so an operator decides whether to delete first.
- release-sign: tighten semver regex so v1.2.3.foo is rejected (the
  prior `[.-]` alternation let it through).
- trivy: fail loudly when SARIF generation produced no file. The prior
  hashFiles guard skipped upload silently, leaving the code-scanning
  dashboard stale on scanner crash.
- trivy + shellcheck: add fork-PR fallback jobs that run the scanner
  without SARIF upload / PR-comment posting, so external contributions
  still get gated on secrets, vulns, misconfig, and shell warnings.
- build-image: cosign verify the just-signed image against Rekor to
  catch transient Fulcio/Rekor write failures that cosign sign itself
  doesn't propagate.

Cleanup:
- build-image: rewrite "provenance/sbom no-ops bij push: false" comment
  so a future maintainer doesn't strip the unconditional flags; add
  id-token: write to the local-permission-escalation note.
- scorecard: log the trigger and whether publish_results actually took
  effect, so a stale badge isn't silently caused by an unpublishable
  branch_protection_rule run.
- SECURITY.md: document which release asset to cosign verify (the
  signed tar.gz, not GitHub's auto-generated Source code archive);
  switch the MinBZK CIO-office reference from backticks to quotes
  since it isn't a GitHub path.
- CONTRIBUTING.md: soften the "moet groen / moeten zijn opgelost"
  language since branch protection isn't enforcing the gate yet.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -66,8 +66,9 @@ jobs:
             type=raw,value=latest,enable={{is_default_branch}}
 
       # PR builds zijn amd64-only om CI-tijd te besparen; arm64-regressies
-      # komen pas op main aan het licht. provenance/sbom zijn no-ops bij
-      # push: false (buildx hangt attestations alleen aan een registry-push).
+      # komen pas op main aan het licht. provenance/sbom blijven aan staan;
+      # buildx negeert ze stilzwijgend bij push: false en hangt ze alleen
+      # aan de registry-push op main/tag — laat ze hier dus niet weg.
       - name: Build and push image
         id: build
         uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
@@ -100,3 +101,18 @@ jobs:
             exit 1
           fi
           cosign sign --yes "${REGISTRY}/${IMAGE_NAME}@${DIGEST}"
+
+      # Verify the signature we just wrote is actually retrievable from
+      # Rekor. Catches transient Fulcio/Rekor write failures that cosign
+      # sign itself didn't propagate (rare, but ships an unsigned image).
+      - name: Verify image signature
+        if: github.event_name != 'pull_request'
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          REPO_FULL: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/${REPO_FULL}/.github/workflows/build-image.yml@.*" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            "${REGISTRY}/${IMAGE_NAME}@${DIGEST}"
diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml
@@ -39,14 +39,34 @@ jobs:
             echo "Resolved tag is empty (event=$EVENT_NAME)" >&2
             exit 1
           fi
-          # Restrict to safe semver-ish tags so downstream filenames and
+          # Restrict to strict semver tags so downstream filenames and
           # --prefix paths cannot contain slashes, spaces, or shell metachars.
-          if ! printf '%s' "$RESOLVED" | grep -Eq '^v?[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$'; then
+          # Prerelease starts with `-`, build-metadata with `+`; reject the
+          # `v1.2.3.foo` shape that an alternation `[.-]` would let through.
+          if ! printf '%s' "$RESOLVED" | grep -Eq '^v?[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$'; then
             echo "Tag '$RESOLVED' does not match expected semver pattern" >&2
             exit 1
           fi
           echo "name=$RESOLVED" >> "$GITHUB_OUTPUT"
 
+      - name: Verify tag refers to a published release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ steps.tag.outputs.name }}
+          REPO_FULL: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          # workflow_dispatch can target arbitrary tags (incl. moved or typo'd
+          # ones). Refuse to sign anything that isn't a published release.
+          if ! git ls-remote --exit-code --tags "https://github.com/${REPO_FULL}.git" "refs/tags/${TAG}" >/dev/null; then
+            echo "Tag '${TAG}' does not exist on origin" >&2
+            exit 1
+          fi
+          if ! gh release view "${TAG}" --repo "${REPO_FULL}" >/dev/null 2>&1; then
+            echo "Tag '${TAG}' has no corresponding published release" >&2
+            exit 1
+          fi
+
       - name: Checkout tag
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -86,6 +106,14 @@ jobs:
             --output-signature "${ARCHIVE}.sig" \
             --output-certificate "${ARCHIVE}.pem" \
             "${ARCHIVE}"
+          # cosign exits 0 even if a partial write produced a zero-byte
+          # signature or certificate; verify both before we ship them.
+          for f in "${ARCHIVE}.sig" "${ARCHIVE}.pem"; do
+            if [ ! -s "$f" ]; then
+              echo "Empty signing output: $f" >&2
+              exit 1
+            fi
+          done
 
       - name: Upload assets to release
         env:
@@ -96,12 +124,22 @@ jobs:
         run: |
           set -euo pipefail
           ARCHIVE="${REPO}-${TAG}.tar.gz"
+          # Refuse to overwrite signed assets silently. A re-run for the same
+          # tag should fail loudly so an operator decides whether to delete
+          # the existing assets first (and document why).
+          EXISTING="$(gh release view "${TAG}" --repo "${REPO_FULL}" --json assets --jq '.assets[].name')"
+          for f in "${ARCHIVE}" "${ARCHIVE}.sig" "${ARCHIVE}.pem" "${ARCHIVE}.sha256"; do
+            if printf '%s\n' "${EXISTING}" | grep -Fxq "$f"; then
+              echo "Refusing to clobber existing release asset: $f" >&2
+              echo "Delete it manually with: gh release delete-asset ${TAG} $f --repo ${REPO_FULL}" >&2
+              exit 1
+            fi
+          done
           gh release upload "${TAG}" \
             "${ARCHIVE}" \
             "${ARCHIVE}.sig" \
             "${ARCHIVE}.pem" \
             "${ARCHIVE}.sha256" \
-            --clobber \
             --repo "${REPO_FULL}"
 
           # Verify all four expected assets actually landed on the release.
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -40,6 +40,22 @@ jobs:
           # action skips publishing otherwise.
           publish_results: true
 
+      - name: "Log run mode"
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          REF: ${{ github.ref }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+        run: |
+          set -euo pipefail
+          PUBLISHED="no (badge will use last published run)"
+          if [ "$EVENT_NAME" = "push" ] || [ "$EVENT_NAME" = "schedule" ]; then
+            if [ "$REF" = "refs/heads/${DEFAULT_BRANCH}" ] || [ "$EVENT_NAME" = "schedule" ]; then
+              PUBLISHED="yes"
+            fi
+          fi
+          echo "Trigger: $EVENT_NAME on $REF"
+          echo "publish_results effective: $PUBLISHED"
+
       - name: "Validate SARIF output is non-empty"
         run: |
           set -euo pipefail
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
@@ -14,8 +14,7 @@ jobs:
     name: differential-shellcheck
     runs-on: ubuntu-latest
     timeout-minutes: 10
-    # Skip on PRs from forks: GitHub strips security-events / pull-requests
-    # write permissions, which would make SARIF upload + PR-comment posting fail.
+    # Same-repo PRs, push: full differential run with SARIF upload + PR comment.
     if: |
       (github.event_name != 'pull_request') ||
       (github.event.pull_request.head.repo.full_name == github.repository)
@@ -37,3 +36,31 @@ jobs:
           strict-check-on-push: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  shellcheck-fork-pr:
+    name: shellcheck (fork PR fallback)
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    # Fork PRs cannot upload SARIF or post PR comments. Run a plain
+    # shellcheck across all tracked shell scripts so external contributions
+    # still get gated on shell warnings/errors.
+    if: |
+      github.event_name == 'pull_request' &&
+      github.event.pull_request.head.repo.full_name != github.repository
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run shellcheck on tracked shell scripts
+        run: |
+          set -euo pipefail
+          mapfile -d '' files < <(git ls-files -z '*.sh' '*.bash')
+          if [ ${#files[@]} -eq 0 ]; then
+            echo "No shell scripts found; nothing to check."
+            exit 0
+          fi
+          shellcheck --severity=warning "${files[@]}"
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -16,8 +16,7 @@ jobs:
     name: Trivy filesystem scan
     runs-on: ubuntu-latest
     timeout-minutes: 15
-    # Skip on PRs from forks: GitHub strips security-events permissions
-    # from forked-PR runs, which would make the SARIF upload fail.
+    # Same-repo PRs, push, schedule: full SARIF run with code-scanning upload.
     if: |
       (github.event_name != 'pull_request') ||
       (github.event.pull_request.head.repo.full_name == github.repository)
@@ -53,9 +52,49 @@ jobs:
           ignore-unfixed: true
           scanners: vuln,secret,misconfig
 
+      # Fail loudly if the scanner crashed and produced no SARIF; otherwise
+      # the upload step would silently no-op and the dashboard would show
+      # stale results without anyone noticing.
+      - name: Verify SARIF output exists
+        if: always()
+        run: |
+          set -euo pipefail
+          if [ ! -s trivy-results.sarif ]; then
+            echo "trivy-results.sarif is missing or empty" >&2
+            exit 1
+          fi
+
       - name: Upload to code-scanning
-        if: always() && hashFiles('trivy-results.sarif') != ''
+        if: always()
         uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
         with:
           sarif_file: trivy-results.sarif
           category: trivy
+
+  scan-fork-pr:
+    name: Trivy filesystem scan (fork PR fallback)
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    # Fork PRs cannot upload SARIF (GitHub strips security-events from
+    # the read-only token). Run trivy with exit-code only so PR-time
+    # secret/vuln/misconfig gating still applies to external contributors.
+    if: |
+      github.event_name == 'pull_request' &&
+      github.event.pull_request.head.repo.full_name != github.repository
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Trivy fail-on-findings (CRITICAL/HIGH)
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: fs
+          format: table
+          severity: CRITICAL,HIGH
+          ignore-unfixed: true
+          scanners: vuln,secret,misconfig
+          exit-code: '1'
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -9,7 +9,7 @@ We volgen de bijdragerichtlijnen van het Ministerie van Binnenlandse Zaken en Ko
 1. Open een issue of reageer op een bestaand issue voordat je begint.
 2. Fork de repository en maak een feature-branch.
 3. Open een pull request naar `main` met een duidelijke beschrijving.
-4. CI moet groen zijn. Alle review-comments moeten zijn opgelost voor merge.
+4. CI is verwacht groen en review-comments verwacht opgelost voor merge (afdwinging via branch protection wordt later toegevoegd).
 
 ## Gedragscode
 
diff --git a/SECURITY.md b/SECURITY.md
@@ -7,8 +7,8 @@ Voor verantwoorde melding van kwetsbaarheden volgen we het beleid van het Minist
 
 Vermeld in je melding **beide** referenties zodat de melding via MinBZK CIO-office bij de juiste maintainers terechtkomt:
 
-1. `MinBZK/CIO-office github security response` — conform het MinBZK-beleid
-2. de repository `RijksICTGilde/hackathon-claude-code` — voor directe routering naar de maintainers
+1. "MinBZK/CIO-office github security response" — conform het MinBZK-beleid (vrije-tekstreferentie, geen GitHub-pad)
+2. de repository [`RijksICTGilde/hackathon-claude-code`](https://github.com/RijksICTGilde/hackathon-claude-code) — voor directe routering naar de maintainers
 
 ## Reactietermijn
 
@@ -25,4 +25,29 @@ Conform het MinBZK-beleid (gebaseerd op NCSC) streven we naar:
 - Misbruik de kwetsbaarheid niet verder dan nodig om het bestaan ervan aan te tonen.
 - Wijzig of verwijder geen data op systemen.
 
+## Verifiëren van release-artefacten
+
+Bij elke gepubliceerde release tekent de `release-sign` workflow het bron-archief met cosign keyless. De release bevat vier assets:
+
+- `<repo>-<tag>.tar.gz` — het ondertekende bron-archief
+- `<repo>-<tag>.tar.gz.sig` — handtekening
+- `<repo>-<tag>.tar.gz.pem` — Sigstore-certificaat
+- `<repo>-<tag>.tar.gz.sha256` — SHA256-checksum
+
+**Belangrijk:** verifieer alleen het `<repo>-<tag>.tar.gz` asset uit de release. GitHub's automatisch gegenereerde "Source code (tar.gz)" download is een ander archief en heeft een andere checksum — die handtekening werkt daar niet op.
+
+```bash
+TAG=v1.2.3
+REPO=hackathon-claude-code
+gh release download "$TAG" --repo RijksICTGilde/$REPO \
+  --pattern "$REPO-$TAG.tar.gz*"
+sha256sum -c "$REPO-$TAG.tar.gz.sha256"
+cosign verify-blob \
+  --certificate "$REPO-$TAG.tar.gz.pem" \
+  --signature "$REPO-$TAG.tar.gz.sig" \
+  --certificate-identity-regexp "https://github.com/RijksICTGilde/$REPO/.github/workflows/release-sign.yml@.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  "$REPO-$TAG.tar.gz"
+```
+
 Zie het [volledige MinBZK-beleid](https://github.com/MinBZK/.github/blob/main/SECURITY.md) voor de complete tekst, do's en don'ts, en wat wij beloven.
