Skip to content

docs: Binary Auth REQUIRE_ATTESTATION in CLAUDE.md and internals #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Pyronewbic merged 2 commits into from
May 20, 2026
Merged

docs: Binary Auth REQUIRE_ATTESTATION in CLAUDE.md and internals #135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
76d6f62
sec: enforce Binary Auth REQUIRE_ATTESTATION policy
Pyronewbic May 20, 2026
7c0b79f
docs: update Binary Auth to REQUIRE_ATTESTATION in CLAUDE.md and inte…
Pyronewbic May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ Strict palette — no deviations:
- **Deploy:** Kaniko v1.23.2 --reproducible → cosign sign → Binary Auth attestation (KMS) → SBOM attest (Syft SPDX from container) → build provenance (actions/attest-build-provenance) → deploy by digest → both regions → health check → OWASP ZAP DAST
- **Custom Wolfi base image:** us-docker.pkg.dev/casecomp-495718/casecomp-node24/node24. Built with apko. 9 smoke tests. 0 CVEs.
- **Supply chain:** SBOM + SLSA attestations on image digest, SHA-pinned GitHub Actions, Dependabot, lockfile-lint, Socket.dev, pre-commit hook (blocks .env, secrets, large files)
- **Binary Authorization:** ENFORCED on both Cloud Run services, KMS-backed attestor, deploy pipeline creates attestations
- **Binary Authorization:** REQUIRE_ATTESTATION enforced on both Cloud Run services, KMS-backed attestor (EC P256, deploy-attestor), deploy pipeline creates attestations via `gcloud beta container binauthz attestations sign-and-create`
- **Secret workflow:** Add to secrets.tf → CI creates → `gcloud secrets versions add` for value. Never `gcloud secrets create`.
- Secrets: EBAY_CLIENT_ID/SECRET, ANTHROPIC_API_KEY, TOGETHER_API_KEY, PSA_AUTH_TOKEN, CASECOMP_API_KEY, CASECOMP_SANDBOX_KEY, RESEND_API_KEY, CASECOMP_JWT_SECRET, GOOGLE_OAUTH_CLIENT_ID, CASECOMP_ADMIN_SUB

Expand Down
2 changes: 1 addition & 1 deletion docs/internals.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ Three workflows: `ci.yml` (all checks), `deploy.yml` (build + sign + deploy), `t
| apko + Wolfi | Base image | Custom Node 24 image, manual `workflow_dispatch` |
| Dependabot | Weekly | npm + GitHub Actions version updates |
| RASP | Runtime | SQLi/XSS/cmdi/traversal/NoSQLi/proto-pollution detection, anomaly scoring |
| Binary Auth | Cloud Run | ENFORCED policy (blocks unsigned images) |
| Binary Auth | Cloud Run | REQUIRE_ATTESTATION policy (blocks unattested images) |

## Scheduled tasks

Expand Down
6 changes: 5 additions & 1 deletion terraform/binary-auth.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,12 @@ resource "google_binary_authorization_policy" "default" {
global_policy_evaluation_mode = "ENABLE"

default_admission_rule {
evaluation_mode = "ALWAYS_ALLOW"
evaluation_mode = "REQUIRE_ATTESTATION"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"

require_attestations_by = [
google_binary_authorization_attestor.deploy.name,
]
}

depends_on = [google_project_service.binaryauthorization]
Expand Down
Loading