Add fips check

[JasonPowr]

User description

Summary by Sourcery

Enable FIPS-aware builds and multi-platform CI pipelines for cosign artifacts.

Build:

• Add configurable GOFIPS140 module flag to macOS and Windows cosign builds and default FIPS module version variable.
• Adjust the cross-platform Make target to only build macOS and Windows binaries.

CI:

• Switch Tekton cosign pipelines to the multi-platform OCI build pipeline with explicit Linux target platforms.
• Enable FIPS checking in cosign and client-server Tekton pull-request and push pipelines.

---

PR Type

Enhancement, Other

---

Description

• Add FIPS compliance support via parameterized GOFIPS140 in build targets

• Enable multi-platform OCI builds in Tekton pipelines with fips-check parameter

• Centralize Linux builds in Tekton, removing platform-specific Makefile targets

• Simplify Dockerfile by consolidating Linux binary handling and removing redundant platform copies

---

Diagram Walkthrough

flowchart LR
  A["Build.mak"] -->|Add FIPS_MODULE variable| B["GOFIPS140 parameter"]
  A -->|Remove Linux targets| C["Centralize in Tekton"]
  D["Tekton Pipelines"] -->|Add fips-check| E["FIPS validation"]
  D -->|Add build-platforms| F["Multi-arch support"]
  G["Dockerfile.cosign.rh"] -->|Simplify Linux build| H["Single cosign-linux binary"]
  H -->|Remove platform copies| I["Cleaner final image"]

Loading

File Walkthrough

	Relevant files
Enhancement	Build.mak Parameterize FIPS and remove Linux build targets                  Build.mak Add FIPS_MODULE variable with default value latest for FIPS-compliant builds Inject GOFIPS140=$(FIPS_MODULE) into all cross-platform build targets Remove Linux-specific build targets (amd64, arm64, ppc64le, s390x) to centralize in Tekton Retain only Darwin and Windows cross-platform builds in Makefile +5/-21    Dockerfile.cosign.rh Simplify Docker build and remove Linux platform variants  Dockerfile.cosign.rh Remove SHA256 digest pin from base image, use tag-only reference Build single cosign-linux binary in build stage instead of platform-specific variants Simplify COPY and RUN commands by removing Linux platform-specific binaries (arm64, ppc64le, s390x, amd64) Consolidate permission setup for remaining binaries (cosign, cosign.gz, Darwin, Windows variants) +14/-20
Configuration changes	client-server-pull-request.yaml Enable FIPS check in client-server PR pipeline                      .tekton/client-server-pull-request.yaml Add fips-check parameter set to true for FIPS validation in pull request pipeline +2/-0      client-server-push.yaml Enable FIPS check in client-server push pipeline                  .tekton/client-server-push.yaml Add fips-check parameter set to true for FIPS validation in push pipeline +2/-0      cosign-pull-request.yaml Add multi-platform builds and FIPS check to cosign PR        .tekton/cosign-pull-request.yaml Add build-platforms parameter with four Linux architectures (x86_64, arm64, ppc64le, s390x) Add fips-check parameter set to true for FIPS validation Update pipeline reference from docker-build-oci-ta.yaml to docker-build-multi-platform-oci-ta.yaml +9/-1      cosign-push.yaml Add multi-platform builds and FIPS check to cosign push    .tekton/cosign-push.yaml Add build-platforms parameter with four Linux architectures (x86_64, arm64, ppc64le, s390x) Add fips-check parameter set to true for FIPS validation Update pipeline reference from docker-build-oci-ta.yaml to docker-build-multi-platform-oci-ta.yaml +9/-1

---

[sourcery-ai]

Reviewer's Guide

Adds FIPS-aware build support and multi-platform OCI image builds by parameterizing FIPS in Go builds, simplifying Makefile cross-platform targets, and updating Tekton pipelines to pass new fips-check and build-platforms parameters while switching cosign pipelines to a multi-platform OCI TA pipeline definition.

Sequence diagram for updated Tekton multi-platform FIPS build pipeline

sequenceDiagram
    actor Developer
    participant GitProvider
    participant TektonPipelineRun
    participant DockerBuildMultiPlatformPipeline
    participant GoBuildTask

    Developer->>GitProvider: Open pull_request / push commit
    GitProvider-->>TektonPipelineRun: Trigger cosign-pull-request or cosign-push

    TektonPipelineRun->>DockerBuildMultiPlatformPipeline: Start pipeline
    activate DockerBuildMultiPlatformPipeline
    TektonPipelineRun->>DockerBuildMultiPlatformPipeline: Param build-platforms=[linux/x86_64, linux/arm64, linux/ppc64le, linux/s390x]
    TektonPipelineRun->>DockerBuildMultiPlatformPipeline: Param fips-check=true

    loop for each platform in build-platforms
        DockerBuildMultiPlatformPipeline->>GoBuildTask: Run Go build for platform
        activate GoBuildTask
        GoBuildTask->>GoBuildTask: Set env GOFIPS140=FIPS_MODULE
        GoBuildTask->>GoBuildTask: go build ./cmd/cosign with FIPS flags
        GoBuildTask-->>DockerBuildMultiPlatformPipeline: Built cosign binary for platform
        deactivate GoBuildTask
    end

    DockerBuildMultiPlatformPipeline-->>TektonPipelineRun: Multi-platform OCI image built (FIPS-aware)
    deactivate DockerBuildMultiPlatformPipeline

    TektonPipelineRun-->>GitProvider: Report CI status (includes fips-check results)
    GitProvider-->>Developer: CI status on PR / branch

Loading

Flow diagram for build-platforms fan-out in Tekton pipeline

flowchart TB
    Start["Tekton pipeline start"] --> Params["Read parameters"]

    Params --> BuildPlatforms["build-platforms list
- linux/x86_64
- linux/arm64
- linux/ppc64le
- linux/s390x"]
    Params --> FIPSParam["fips-check=true"]

    FIPSParam --> FIPSTask["Run FIPS check"]

    BuildPlatforms --> FanOut{For each platform}

    FanOut --> X86["Build for linux/x86_64"]
    FanOut --> Arm64["Build for linux/arm64"]
    FanOut --> Ppc64le["Build for linux/ppc64le"]
    FanOut --> S390x["Build for linux/s390x"]

    X86 --> Merge
    Arm64 --> Merge
    Ppc64le --> Merge
    S390x --> Merge
    FIPSTask --> Merge

    Merge["Assemble multi-platform OCI image"] --> End["Publish image and report CI status"]

Loading

File-Level Changes

Change	Details	Files
Parameterize Go builds for FIPS and simplify cross-platform binary targets in the Makefile.	Introduce FIPS_MODULE variable with a default of latest for build-time configuration. Inject GOFIPS140 from FIPS_MODULE into cosign darwin/arm64, darwin/amd64, and windows/amd64 go build commands. Reduce the cross-platform aggregate target to only macOS and Windows builds, dropping Linux binaries from the Makefile in favor of pipeline builds.	Build.mak
Enable multi-platform OCI builds and FIPS checks in Tekton cosign pipelines.	Add build-platforms parameter listing linux/x86_64, linux/arm64, linux/ppc64le, and linux/s390x to cosign pull-request and push pipelines. Add fips-check parameter, defaulting to true, to cosign pull-request and push pipelines. Switch cosign pull-request and push pipelines to use pipelines/docker-build-multi-platform-oci-ta.yaml instead of pipelines/docker-build-oci-ta.yaml.	.tekton/cosign-pull-request.yaml .tekton/cosign-push.yaml
Enable FIPS checks in client-server Tekton pipelines.	Add fips-check parameter, defaulting to true, to client-server pull-request and push pipelines.	.tekton/client-server-pull-request.yaml .tekton/client-server-push.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[JasonPowr]

/retest

[JasonPowr]

/retest

[qodo-merge-pro]

You are nearing your monthly Qodo Merge usage quota. For more information, please visit here.

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	Unpinned base image Description: Base image digest pinning was removed (using a tag-only reference for 'registry.redhat.io/ubi9/go-toolset:9.7'), which enables supply-chain attacks if the tag is retagged or compromised; restore a content-addressable digest to ensure reproducible and verifiable builds. Dockerfile.cosign.rh [2-2] Referred Code FROM registry.redhat.io/ubi9/go-toolset:9.7 AS build-env
⚪	Dependency integrity risk Description: The build stage now exports version metadata and compiles binaries without verifying module integrity beyond 'go mod vendor'; absence of 'GONOSUMDB'/'GOPRIVATE' hardening or 'go mod verify' in a hermetic context can allow dependency tampering—add 'go mod verify' and checksum enforcement before building. Dockerfile.cosign.rh [10-23] Referred Code RUN git config --global --add safe.directory /cosign && \ git update-index --assume-unchanged Dockerfile.cosign.rh && \ export GIT_VERSION=$(git describe --tags --always --dirty) && \ export GIT_HASH=$(git rev-parse HEAD) && \ export BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') && \ go mod vendor && \ GIT_TREESTATE=clean && \ LDFLAGS="-X sigs.k8s.io/release-utils/version.gitVersion=${GIT_VERSION} \ -X sigs.k8s.io/release-utils/version.gitCommit=${GIT_HASH} \ -X sigs.k8s.io/release-utils/version.gitTreeState=${GIT_TREESTATE} \ -X sigs.k8s.io/release-utils/version.buildDate=${BUILD_DATE}"; \ go build -o cosign-linux -trimpath -ldflags "${LDFLAGS} -w -s" ./cmd/cosign && \ gzip -k cosign-linux && \ make -f Build.mak cross-platform && \
	Unpinned pipeline ref Description: Enabling multi-platform builds and FIPS checks without pinning the referenced pipeline definition path to an immutable revision for the task file increases supply-chain risk; ensure the pipeline tasks and images are pinned (e.g., commit SHA) to prevent drift or malicious changes. cosign-pull-request.yaml [45-51] Referred Code value: - linux/x86_64 - linux/arm64 - linux/ppc64le - linux/s390x - name: fips-check value: "true"
	Unpinned pipeline ref Description: The Tekton pipeline reference for the multi-platform build is set via 'pathInRepo' without pinning to a specific commit for the task file, which can lead to executing changed tasks unexpectedly; pin to a commit SHA and/or digest-pin task images. cosign-push.yaml [42-49] Referred Code value: - linux/x86_64 - linux/arm64 - linux/ppc64le - linux/s390x - name: fips-check value: "true" pipelineRef:
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No auditing: The added pipeline parameters (e.g., 'fips-check', 'build-platforms') introduce no logging or audit trail for critical actions in the changed code segments. Referred Code - name: build-platforms value: - linux/x86_64 - linux/arm64 - linux/ppc64le - linux/s390x - name: fips-check value: "true" Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing error handling: The added Dockerfile RUN sequence builds binaries without explicit checks or fallbacks for failures (e.g., go build, gzip), which may cause silent pipeline failures depending on shell settings. Referred Code RUN git config --global --add safe.directory /cosign && \ git update-index --assume-unchanged Dockerfile.cosign.rh && \ export GIT_VERSION=$(git describe --tags --always --dirty) && \ export GIT_HASH=$(git rev-parse HEAD) && \ export BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') && \ go mod vendor && \ GIT_TREESTATE=clean && \ LDFLAGS="-X sigs.k8s.io/release-utils/version.gitVersion=${GIT_VERSION} \ -X sigs.k8s.io/release-utils/version.gitCommit=${GIT_HASH} \ -X sigs.k8s.io/release-utils/version.gitTreeState=${GIT_TREESTATE} \ -X sigs.k8s.io/release-utils/version.buildDate=${BUILD_DATE}"; \ go build -o cosign-linux -trimpath -ldflags "${LDFLAGS} -w -s" ./cmd/cosign && \ gzip -k cosign-linux && \ make -f Build.mak cross-platform && \ gzip cosign-darwin-amd64 && \ gzip cosign-darwin-arm64 && \ gzip cosign-windows-amd64.exe && \ git update-index --no-assume-unchanged Dockerfile.cosign.rh Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unpinned base image: The base image digest pin was removed ('FROM ...:9.7' without sha256), weakening supply-chain integrity and input trust of the build environment. Referred Code FROM registry.redhat.io/ubi9/go-toolset:9.7 AS build-env Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• The build-platforms parameter values use linux/x86_64, but most OCI/buildx tooling expects linux/amd64; consider aligning the architecture strings to the standard values to avoid unexpected build failures.
• By removing the Linux build targets from cross-platform and the Makefile entirely, local Linux binaries are no longer easily buildable via make; consider retaining simple Linux targets (or a wrapper target) to preserve existing developer workflows while still centralizing CI builds in Tekton.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `build-platforms` parameter values use `linux/x86_64`, but most OCI/buildx tooling expects `linux/amd64`; consider aligning the architecture strings to the standard values to avoid unexpected build failures.
- By removing the Linux build targets from `cross-platform` and the Makefile entirely, local Linux binaries are no longer easily buildable via `make`; consider retaining simple Linux targets (or a wrapper target) to preserve existing developer workflows while still centralizing CI builds in Tekton.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[qodo-merge-pro]

You are nearing your monthly Qodo Merge usage quota. For more information, please visit here.

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Refactor build logic to avoid duplication The Dockerfile duplicates build logic from the Makefile and omits the new GOFIPS140 flag for the Linux build. Consolidate all Go build commands into the Makefile to ensure FIPS support is applied consistently. Examples: Dockerfile.cosign.rh [16-23] GIT_TREESTATE=clean && \ LDFLAGS="-X sigs.k8s.io/release-utils/version.gitVersion=${GIT_VERSION} \ -X sigs.k8s.io/release-utils/version.gitCommit=${GIT_HASH} \ -X sigs.k8s.io/release-utils/version.gitTreeState=${GIT_TREESTATE} \ -X sigs.k8s.io/release-utils/version.buildDate=${BUILD_DATE}"; \ go build -o cosign-linux -trimpath -ldflags "${LDFLAGS} -w -s" ./cmd/cosign && \ gzip -k cosign-linux && \ make -f Build.mak cross-platform && \ Solution Walkthrough: Before: # Dockerfile.cosign.rh ... RUN ... # LDFLAGS are duplicated from Makefile LDFLAGS="-X sigs.k8s.io/release-utils/version.gitVersion=${GIT_VERSION} ..."; \ # Linux build is missing the GOFIPS140 flag go build -o cosign-linux -trimpath -ldflags "${LDFLAGS} -w -s" ./cmd/cosign && \ # Other builds use Makefile, which has the FIPS flag make -f Build.mak cross-platform && \ ... After: # Dockerfile.cosign.rh ... RUN ... # Build logic is consolidated into Makefile make -f Build.mak cosign-linux && \ make -f Build.mak cross-platform && \ ... # Build.mak ... FIPS_MODULE ?= latest LDFLAGS=... cosign-linux: ## Build for Linux env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=linux GOARCH=amd64 go build -o cosign-linux ... Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical flaw where the new Linux build in the Dockerfile omits the GOFIPS140 flag, undermining the PR's primary goal of adding FIPS support, and also points out duplicated build logic.	High
Security	Pin base image to specific digest Restore the SHA256 digest pin for the FROM instruction in Dockerfile.cosign.rh to ensure reproducible builds and enhance security. Dockerfile.cosign.rh [2] -FROM registry.redhat.io/ubi9/go-toolset:9.7 AS build-env +FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:380d6de9bbc5a42ca13d425be99958fb397317664bb8a00e49d464e62cc8566c AS build-env Apply / Chat Suggestion importance[1-10]: 9 __ Why: This is a critical security suggestion, as pinning base images to a digest is a best practice to ensure build reproducibility and prevent supply chain attacks, a practice which this PR regresses.	High
Possible issue	Add FIPS flag to Linux build Add the GOFIPS140 environment variable to the go build command for cosign-linux in Dockerfile.cosign.rh to ensure the binary is built with FIPS compliance. Dockerfile.cosign.rh [21-26] -go build -o cosign-linux -trimpath -ldflags "${LDFLAGS} -w -s" ./cmd/cosign && \ +GOFIPS140=latest go build -o cosign-linux -trimpath -ldflags "${LDFLAGS} -w -s" ./cmd/cosign && \ gzip -k cosign-linux && \ make -f Build.mak cross-platform && \ gzip cosign-darwin-amd64 && \ gzip cosign-darwin-arm64 && \ gzip cosign-windows-amd64.exe && \ Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a critical omission; the main goal of the PR is to enable FIPS, but the GOFIPS140 flag is missing from the primary Linux binary build command, rendering the FIPS changes ineffective.	Medium
General	Remove FIPS flag from non-Linux builds Remove the GOFIPS140=$(FIPS_MODULE) environment variable from the Darwin and Windows build commands in Build.mak, as it only applies to Linux builds. Build.mak [27] -env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=darwin GOARCH=arm64 go build -o cosign-darwin-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign +env CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o cosign-darwin-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly identifies that the GOFIPS140 flag is ineffective for non-Linux builds and its removal from the Darwin and Windows targets improves the correctness of the build configuration.	Low
More