sec: Sigstore signing, SBOM, Grype scanning, Binary Auth

[Pyronewbic]

Summary

• Cosign keyless container signing via GitHub OIDC → Sigstore Rekor transparency log
• Deploy by image digest (not :latest tag) to prevent tag-swap attacks
• Syft SBOM generation (SPDX JSON) uploaded as build artifact (90 day retention)
• Grype vulnerability scanning with SARIF upload to GitHub Security tab
• Binary Authorization enabled on both Cloud Run services (DRYRUN audit mode)
• Kaniko pinned to v1.23.2, dual tags (latest + SHA), --reproducible builds

Type

• Infra / config

Breaking changes

None

Endpoints

None

Checks

• yarn test:unit passes
• terraform validate passes
• terraform fmt -check passes

Infrastructure

• New GCP APIs: Binary Authorization, Container Analysis
• Binary Auth policy: DRYRUN_AUDIT_LOG_ONLY (logs unsigned deploys, does not block)
• Both casecomp-api and casecomp-site reference the policy
• Terraform apply needed after merge (auto-applies via terraform.yml workflow)

Frontend impact

None

Deploy notes

First deploy after merge will sign the image and run SBOM+Grype for the first time. Binary Auth policy is DRYRUN so no risk of blocking. Switch to ALWAYS_DENY after confirming signing works across a few deploys.

[github-actions]

Terraform Plan

Acquiring state lock. This may take a few moments...
Releasing state lock. This may take a few moments...

Error: No value for required variable

  on variables.tf line 21:
  21: variable "alert_email" {

The root module input variable "alert_email" is not set, and has no default
value. Use a -var or -var-file command line argument to provide a value for
this variable.
::error::Terraform exited with code 1.

Merge to main to apply.