🤖 Fix for issue #93: Feature Request: Container Image Signing, SBOM, and Attestation (attempt 2)

cmd/sc/main.go

@@ -18,8 +18,11 @@ import (
 	"github.com/simple-container-com/api/pkg/cmd/cmd_cicd"
 	"github.com/simple-container-com/api/pkg/cmd/cmd_deploy"
 	"github.com/simple-container-com/api/pkg/cmd/cmd_destroy"
+	"github.com/simple-container-com/api/pkg/cmd/cmd_image"
 	"github.com/simple-container-com/api/pkg/cmd/cmd_init"
 	"github.com/simple-container-com/api/pkg/cmd/cmd_provision"
+	"github.com/simple-container-com/api/pkg/cmd/cmd_release"
+	"github.com/simple-container-com/api/pkg/cmd/cmd_sbom"
 	"github.com/simple-container-com/api/pkg/cmd/cmd_secrets"
 	"github.com/simple-container-com/api/pkg/cmd/cmd_stack"
 	"github.com/simple-container-com/api/pkg/cmd/cmd_upgrade"
@@ -83,6 +86,9 @@ func main() {
 		cmd_upgrade.NewUpgradeCmd(rootCmdInstance),
 		cmd_stack.NewStackCmd(rootCmdInstance),
 		cmd_cicd.NewCicdCmd(rootCmdInstance),
+		cmd_image.NewImageCmd(),
+		cmd_sbom.NewSBOMCommand(),
+		cmd_release.NewReleaseCommand(rootCmdInstance),
 	)
 
 	rootCmd.PersistentFlags().BoolVarP(&rootParams.Verbose, "verbose", "v", rootParams.Verbose, "Verbose mode")

cmd/schema-gen/main.go

@@ -348,6 +348,60 @@ func (sg *SchemaGenerator) generateConfigurationSchemas() ([]ResourceDefinition,
 		},
 	}...)
 
+	// Security configuration schemas
+	configSchemas = append(configSchemas, []ResourceDefinition{
+		{
+			Name:         "SecurityDescriptor",
+			Type:         "configuration",
+			Provider:     "core",
+			Description:  "Container image security configuration schema",
+			GoPackage:    "pkg/api/security_config.go",
+			GoStruct:     "SecurityDescriptor",
+			ResourceType: "security-config",
+			Schema:       reflect.TypeOf(api.SecurityDescriptor{}),
+		},
+		{
+			Name:         "SigningDescriptor",
+			Type:         "configuration",
+			Provider:     "core",
+			Description:  "Image signing configuration schema",
+			GoPackage:    "pkg/api/security_config.go",
+			GoStruct:     "SigningDescriptor",
+			ResourceType: "signing-config",
+			Schema:       reflect.TypeOf(api.SigningDescriptor{}),
+		},
+		{
+			Name:         "SBOMDescriptor",
+			Type:         "configuration",
+			Provider:     "core",
+			Description:  "SBOM generation configuration schema",
+			GoPackage:    "pkg/api/security_config.go",
+			GoStruct:     "SBOMDescriptor",
+			ResourceType: "sbom-config",
+			Schema:       reflect.TypeOf(api.SBOMDescriptor{}),
+		},
+		{
+			Name:         "ProvenanceDescriptor",
+			Type:         "configuration",
+			Provider:     "core",
+			Description:  "SLSA provenance configuration schema",
+			GoPackage:    "pkg/api/security_config.go",
+			GoStruct:     "ProvenanceDescriptor",
+			ResourceType: "provenance-config",
+			Schema:       reflect.TypeOf(api.ProvenanceDescriptor{}),
+		},
+		{
+			Name:         "ScanDescriptor",
+			Type:         "configuration",
+			Provider:     "core",
+			Description:  "Vulnerability scanning configuration schema",
+			GoPackage:    "pkg/api/security_config.go",
+			GoStruct:     "ScanDescriptor",
+			ResourceType: "scan-config",
+			Schema:       reflect.TypeOf(api.ScanDescriptor{}),
+		},
+	}...)
+
 	fmt.Printf("Generated %d configuration file schemas\n", len(configSchemas))
 	return configSchemas, nil
 }

docs/design/container-security/IMPLEMENTATION_STATUS.md

@@ -0,0 +1,238 @@
+# Container Security Implementation Status
+
+**Issue:** #105 - Container Image Security
+**Last Updated:** 2026-02-06
+**Current Phase:** Phase 2 (Partial) - Transitioning to Phase 3
+
+---
+
+## Overview
+
+This document tracks the implementation progress of the container image security feature across 5 phases.
+
+## Implementation Progress
+
+### ✅ Phase 1: Core Infrastructure (PARTIAL - ~60% Complete)
+
+**Status:** Partially implemented in PR #114
+
+**Completed:**
+- ✅ `pkg/security/executor.go` - SecurityExecutor orchestrator (basic)
+- ✅ `pkg/security/context.go` - ExecutionContext with CI detection
+- ✅ `pkg/security/errors.go` - Error types
+- ✅ `pkg/security/tools/command.go` - Command execution wrapper
+- ✅ `pkg/security/executor_test.go` - Basic executor tests
+
+**Missing/Incomplete:**
+- ❌ `pkg/security/cache.go` - Caching layer for scan results and SBOMs
+- ❌ `pkg/security/config.go` - Comprehensive SecurityConfig types
+- ❌ `pkg/security/tools/installer.go` - Tool installation checking
+- ❌ `pkg/security/tools/version.go` - Version validation
+- ❌ `pkg/security/tools/registry.go` - Tool registry
+- ❌ `pkg/api/security_config.go` - API-level security configuration types
+- ❌ Comprehensive unit tests for cache, tools, context
+- ❌ JSON schema generation for security config types
+- ❌ Integration with `pkg/api/client.go` (SecurityDescriptor field)
+
+**Notes:**
+- Current SecurityConfig in executor.go is minimal (only has Enabled and Signing fields)
+- Missing comprehensive configuration model for SBOM, Provenance, Scanning
+- Tool management is incomplete (only basic command execution)
+
+---
+
+### ✅ Phase 2: Image Signing (COMPLETE - ~95%)
+
+**Status:** Mostly implemented in PR #114
+
+**Completed:**
+- ✅ `pkg/security/signing/signer.go` - Signer interface
+- ✅ `pkg/security/signing/keyless.go` - Keyless OIDC signing
+- ✅ `pkg/security/signing/keybased.go` - Key-based signing
+- ✅ `pkg/security/signing/verifier.go` - Signature verification
+- ✅ `pkg/security/signing/config.go` - Signing configuration
+- ✅ `pkg/security/signing/keyless_test.go` - Keyless tests
+- ✅ `pkg/security/signing/keybased_test.go` - Key-based tests
+- ✅ `pkg/security/signing/verifier_test.go` - Verifier tests
+- ✅ `pkg/security/signing/config_test.go` - Config tests
+- ✅ `pkg/cmd/cmd_image/sign.go` - Sign CLI command
+- ✅ `pkg/cmd/cmd_image/verify.go` - Verify CLI command
+- ✅ `pkg/cmd/cmd_image/image.go` - Image command group
+
+**Missing/Incomplete:**
+- ❌ Integration tests with real cosign commands
+- ❌ E2E tests with test registries
+- ❌ Integration into SecurityExecutor workflow (ExecuteSigning is present but not fully tested)
+
+**Notes:**
+- Core signing functionality is complete and well-tested
+- Ready for integration testing once Phase 1 gaps are filled
+
+---
+
+### ❌ Phase 3: SBOM Generation (NOT STARTED - 0%)
+
+**Status:** Not started
+
+**Required Files:**
+- ❌ `pkg/security/sbom/generator.go` - Generator interface
+- ❌ `pkg/security/sbom/syft.go` - Syft implementation
+- ❌ `pkg/security/sbom/attacher.go` - Attestation attacher
+- ❌ `pkg/security/sbom/formats.go` - Format handling
+- ❌ `pkg/security/sbom/config.go` - SBOM configuration
+- ❌ `pkg/cmd/cmd_sbom/generate.go` - Generate CLI command
+- ❌ `pkg/cmd/cmd_sbom/attach.go` - Attach CLI command
+- ❌ `pkg/cmd/cmd_sbom/verify.go` - Verify CLI command
+- ❌ `pkg/cmd/cmd_sbom/sbom.go` - SBOM command group
+- ❌ Unit and integration tests
+
+**Dependencies:**
+- Requires Phase 2 (Signing) for attestation signing
+
+---
+
+### ❌ Phase 4A: SLSA Provenance (NOT STARTED - 0%)
+
+**Status:** Not started
+
+**Required Files:**
+- ❌ `pkg/security/provenance/generator.go` - Generator interface
+- ❌ `pkg/security/provenance/slsa.go` - SLSA v1.0 format
+- ❌ `pkg/security/provenance/materials.go` - Build materials collection
+- ❌ `pkg/security/provenance/builder.go` - Builder identification
+- ❌ `pkg/security/provenance/config.go` - Provenance configuration
+- ❌ `pkg/cmd/cmd_provenance/attach.go` - Attach CLI command
+- ❌ `pkg/cmd/cmd_provenance/verify.go` - Verify CLI command
+- ❌ `pkg/cmd/cmd_provenance/provenance.go` - Provenance command group
+- ❌ Unit and integration tests
+
+**Dependencies:**
+- Requires Phase 1 (ExecutionContext) for CI detection
+- Requires Phase 2 (Signing) for attestation signing
+
+---
+
+### ❌ Phase 4B: Vulnerability Scanning (NOT STARTED - 0%)
+
+**Status:** Not started
+
+**Required Files:**
+- ❌ `pkg/security/scan/scanner.go` - Scanner interface
+- ❌ `pkg/security/scan/grype.go` - Grype scanner
+- ❌ `pkg/security/scan/trivy.go` - Trivy scanner
+- ❌ `pkg/security/scan/policy.go` - Policy enforcement
+- ❌ `pkg/security/scan/result.go` - Result types
+- ❌ `pkg/security/scan/config.go` - Scan configuration
+- ❌ `pkg/cmd/cmd_image/scan.go` - Scan CLI command
+- ❌ Unit and integration tests
+
+**Dependencies:**
+- Requires Phase 1 (Cache, Config) for scan result caching and configuration
+
+---
+
+### ❌ Phase 5: Pulumi Integration & Release Workflow (NOT STARTED - 0%)
+
+**Status:** Not started
+
+**Required Files:**
+- ❌ Modify `pkg/clouds/pulumi/docker/build_and_push.go` - Add security operations
+- ❌ `pkg/cmd/cmd_release/create.go` - Release create command
+- ❌ `pkg/cmd/cmd_release/release.go` - Release command group
+- ❌ Modify `pkg/cmd/root_cmd/root.go` - Add release command
+- ❌ Update `cmd/schema-gen/main.go` - Generate security schemas
+- ❌ `pkg/security/integration_test.go` - E2E integration tests
+- ❌ Documentation updates
+
+**Dependencies:**
+- Requires all previous phases (1-4) completion
+
+---
+
+## Summary Statistics
+
+| Phase | Status | Completion | Files Completed | Files Missing | Tests |
+|-------|--------|------------|-----------------|---------------|-------|
+| Phase 1 | 🟡 Partial | 60% | 5/13 | 8 | Minimal |
+| Phase 2 | 🟢 Complete | 95% | 12/15 | 3 | Good |
+| Phase 3 | ⚪ Not Started | 0% | 0/10 | 10 | None |
+| Phase 4A | ⚪ Not Started | 0% | 0/9 | 9 | None |
+| Phase 4B | ⚪ Not Started | 0% | 0/8 | 8 | None |
+| Phase 5 | ⚪ Not Started | 0% | 0/7 | 7 | None |
+| **Total** | **🟡 In Progress** | **~25%** | **17/62** | **45** | **Limited** |
+
+---
+
+## Critical Gaps to Address
+
+### Immediate Priority (Complete Phase 1)
+
+1. **Missing Configuration Model** - Need comprehensive SecurityConfig types in `pkg/security/config.go` and `pkg/api/security_config.go`
+2. **Missing Cache Layer** - Need `pkg/security/cache.go` for scan results and SBOM caching
+3. **Missing Tool Management** - Need `pkg/security/tools/installer.go`, `version.go`, `registry.go` for tool validation
+4. **Missing Tests** - Need comprehensive unit tests for context, cache, tools
+
+### Next Priority (Complete Phase 2 Integration)
+
+5. **Integration Tests** - Add integration tests for signing with real cosign commands
+6. **E2E Tests** - Add end-to-end tests with test registries
+7. **Executor Integration** - Fully integrate signing into SecurityExecutor workflow
+
+### Following Priorities (Phases 3-5)
+
+8. **SBOM Generation** - Implement Syft integration and attestation
+9. **Provenance & Scanning** - Implement SLSA provenance and vulnerability scanning
+10. **Pulumi Integration** - Integrate with BuildAndPushImage and create release workflow
+
+---
+
+## Recommended Next Steps
+
+### Option 1: Complete Phase 1 First (Recommended)
+**Rationale:** Establishes solid foundation before proceeding
+
+1. Implement missing Phase 1 files (cache, config, tools)
+2. Add comprehensive unit tests
+3. Add JSON schema generation
+4. Complete integration with pkg/api
+5. Then proceed to Phase 3
+
+### Option 2: Continue with Phase 3 (SBOM)
+**Rationale:** Phase 2 is mostly complete, SBOM is next logical feature
+
+1. Accept Phase 1 gaps as technical debt
+2. Implement Phase 3 (SBOM) with minimal config model
+3. Backfill Phase 1 gaps later
+
+### Option 3: Complete Phase 1 + Phase 2 E2E, Then Phase 3
+**Rationale:** Ensures Phases 1-2 are production-ready before moving forward
+
+1. Complete Phase 1 missing files
+2. Add Phase 2 integration and E2E tests
+3. Validate Phases 1-2 are production-ready
+4. Then proceed to Phase 3
+
+---
+
+## Architecture Decision
+
+**Recommendation: Option 1 - Complete Phase 1 First**
+
+**Justification:**
+- Phase 1 provides foundation for all subsequent phases
+- Cache, Config, and Tool Management are dependencies for Phases 3-5
+- Better to establish solid foundation now than accumulate technical debt
+- Only ~8 files missing from Phase 1
+- Phases 3-5 require comprehensive config model from Phase 1
+
+---
+
+## Updated Handoff Requests
+
+Based on this analysis, the handoff JSON should be regenerated with:
+
+1. **Phase 1 Completion** - Focus on missing cache, config, tools files
+2. **Phase 2 Integration** - Add integration and E2E tests
+3. **Phase 3-5** - Proceed as originally planned
+
+See updated handoff JSON in architect response.