l3montree-dev · timbastin · Mar 6, 2026 · Mar 26, 2026 · Mar 28, 2026 · Mar 29, 2026
diff --git a/.github/workflows/attest.yml b/.github/workflows/attest.yml
@@ -84,87 +84,89 @@ jobs:
           echo "Using provided artifact name: ${{ inputs.artifact-name }}"
           echo "Encoded: $API_ARTIFACT_NAME"
         fi    
+        echo "Resolved artifact name for attestation: ${{ inputs.artifact-name }}"
 
-    - name: Get SBOM
-      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
+    - name: Get and Attest SBOM
+      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main
       with:
-        args: >
-          sh -c "
-            slug=$(devguard-scanner slug ${{ github.ref_name }}) && devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/artifacts/${{ env.API_ARTIFACT_NAME }}/sbom.json/' --token='${{ secrets.devguard-token }}' > sbom.json
-          "
-      env:
-        API_ARTIFACT_NAME: ${{ env.API_ARTIFACT_NAME }}
-    - name: Get VeX
-      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
-      with:
-        args: >
-            sh -c " 
-            slug=$(devguard-scanner slug ${{ github.ref_name }}) && devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/artifacts/${{ env.API_ARTIFACT_NAME }}/vex.json/' --token='${{ secrets.devguard-token }}' > vex.json
-            "
-      env:
-        API_ARTIFACT_NAME: ${{ env.API_ARTIFACT_NAME }}      
-    - name: Get SAST-Results
-      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
-      with:
-         args: >
-            sh -c " 
-            slug=$(devguard-scanner slug ${{ github.ref_name }}) && devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/sarif.json' --token='${{ secrets.devguard-token }}' > sarif.json
-            "
-    - name: Attest SBOM
-      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
-      with:
-        args: >
+        args: |
           sh -c "
+            slug=$(devguard-scanner slug ${{ github.ref_name }}) &&
+            artifact_name="$ARTIFACT_NAME" &&
+            echo 'Fetching SBOM for artifact:' '${{ env.API_ARTIFACT_NAME }}' &&
+            devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/artifacts/${{ env.API_ARTIFACT_NAME }}/sbom.json/' --token='${{ secrets.devguard-token }}' > /tmp/sbom.json &&
+            echo 'SBOM downloaded to /tmp/sbom.json' &&
             if [ -f image-digest.txt ]; then
-              devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} sbom.json --predicateType='https://cyclonedx.org/bom' \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
+              echo 'Attesting SBOM with image digest present' &&
+              devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} /tmp/sbom.json --predicateType='https://cyclonedx.org/bom' \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName="$artifact_name"
             else
-              devguard-scanner attest sbom.json --predicateType='https://cyclonedx.org/bom' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }}  --artifactName=${{ env.ARTIFACT_NAME }}
+              echo 'Attesting SBOM without image digest' &&
+              devguard-scanner attest /tmp/sbom.json --predicateType='https://cyclonedx.org/bom' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName="$artifact_name"
             fi
           "
       env:
-        ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}    
-    - name: Attest VeX
-      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
+        API_ARTIFACT_NAME: ${{ env.API_ARTIFACT_NAME }}
+        ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}
+    - name: Get and Attest VeX
+      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main
       with:
-        args: >
+        args: |
           sh -c "
+            slug=$(devguard-scanner slug ${{ github.ref_name }}) &&
+            artifact_name="$ARTIFACT_NAME" &&
+            echo 'Fetching VeX for artifact:' '${{ env.API_ARTIFACT_NAME }}' &&
+            devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/artifacts/${{ env.API_ARTIFACT_NAME }}/vex.json/' --token='${{ secrets.devguard-token }}' > /tmp/vex.json &&
+            echo 'VeX downloaded to /tmp/vex.json' &&
             if [ -f image-digest.txt ]; then
-              devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} vex.json \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --token='${{ secrets.devguard-token }}' --predicateType='https://cyclonedx.org/vex' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
+              echo 'Attesting VeX with image digest present' &&
+              devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} /tmp/vex.json \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --token='${{ secrets.devguard-token }}' --predicateType='https://cyclonedx.org/vex' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName="$artifact_name"
             else
-              devguard-scanner attest vex.json --predicateType='https://cyclonedx.org/vex' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }}  --artifactName=${{ env.ARTIFACT_NAME }}
+              echo 'Attesting VeX without image digest' &&
+              devguard-scanner attest /tmp/vex.json --predicateType='https://cyclonedx.org/vex' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName="$artifact_name"
             fi
           "
       env:
+        API_ARTIFACT_NAME: ${{ env.API_ARTIFACT_NAME }}
         ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}
-    - name: Attest SAST-Results
-      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
+    - name: Get and Attest SAST-Results
+      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main
       with:
-        args: >
+        args: |
           sh -c "
+            slug=$(devguard-scanner slug ${{ github.ref_name }}) &&
+            artifact_name="$ARTIFACT_NAME" &&
+            echo 'Fetching SAST results for artifact:' '${{ env.ARTIFACT_NAME }}' &&
+            devguard-scanner curl '${{ inputs.api-url }}/api/v1/organizations/${{ inputs.asset-name }}/refs/'$slug'/sarif.json' --token='${{ secrets.devguard-token }}' > /tmp/sarif.json &&
+            echo 'SAST results downloaded to /tmp/sarif.json' &&
             if [ -f image-digest.txt ]; then
-              devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} sarif.json \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --predicateType='https://www.schemastore.org/schemas/json/sarif-2.1.0.json' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
+              echo 'Attesting SAST results with image digest present' &&
+              devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} /tmp/sarif.json \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --predicateType='https://www.schemastore.org/schemas/json/sarif-2.1.0.json' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName="$artifact_name"
             else
-              devguard-scanner attest sarif.json --predicateType='https://www.schemastore.org/schemas/json/sarif-2.1.0.json' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
+              echo 'Attesting SAST results without image digest' &&
+              devguard-scanner attest /tmp/sarif.json --predicateType='https://www.schemastore.org/schemas/json/sarif-2.1.0.json' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName="$artifact_name"
             fi
           "
       env:
         ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}
-    # download build-provenance.json if it exists
-    - name: Download build-provenance.json
+    - name: Download and Attest build-provenance.json
       uses: actions/download-artifact@v4
       with:
         name: build${{ inputs.image-suffix }}.provenance.json
     - name: Attest build-provenance.json
-      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
+      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main
       continue-on-error: true
       with:
-        args: >
+        args: |
           sh -c "
+            artifact_name="$ARTIFACT_NAME" &&
+            echo 'Building provenance attestation for artifact:' '${{ env.ARTIFACT_NAME }}' &&
             if [ -f image-digest.txt ]; then
-              devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} build.provenance.json \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --predicateType='https://slsa.dev/provenance/v1' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
+              echo 'Attesting provenance with image digest present' &&
+              devguard-scanner attest -u ${{ github.actor }} -r ghcr.io -p ${{ secrets.GITHUB_TOKEN }} build.provenance.json \"$(cat image-tag.txt)@$(cat image-digest.txt)\" --predicateType='https://slsa.dev/provenance/v1' --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName="$artifact_name"
             else
-              devguard-scanner attest build.provenance.json --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --predicateType='https://slsa.dev/provenance/v1' --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName=${{ env.ARTIFACT_NAME }}
+              echo 'Attesting provenance without image digest' &&
+              devguard-scanner attest build.provenance.json --token='${{ secrets.devguard-token }}' --apiUrl=${{ inputs.api-url }} --predicateType='https://slsa.dev/provenance/v1' --assetName=${{ inputs.asset-name }} --ref=${{ github.ref_name }} --artifactName="$artifact_name"
             fi
           "
       env:
-        ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}  
+        ARTIFACT_NAME: ${{ env.ARTIFACT_NAME }}
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -23,7 +23,7 @@ on:
         type: string
         required: false
         default: ''
-        description: "The name of the artifact you are building. This is useful when a single pipeline builds more than a single artifact like a container with a shell inside and one without. If you build a single artifact - leave it empty." 
+        description: "The name of the artifact you are building. This is useful when a single pipeline builds more than a single artifact like a container with a shell inside and one without. If you build a single artifact - leave it empty."
       disable-artifact-registry-as-image-store:
         required: false
         default: false
@@ -55,22 +55,20 @@ jobs:
         fi
 
         echo "BUILD_ARGS=$BUILD_ARGS --no-push --tarPath /github/workspace/tmp-image.tar" >> $GITHUB_ENV
-        
+
     - name: Checkout code
       uses: actions/checkout@v4
       with:
         submodules: recursive
         persist-credentials: false
+
     - name: In-Toto Provenance record start
       id: in-toto-start
-      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
+      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main
       with:
         args: devguard-scanner intoto start --step=build --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }}
       continue-on-error: true
 
-    - name: Setup crane
-      uses: imjasonh/setup-crane@v0.1
-
     - name: Build Docker image with Kaniko
       # Building the Docker image using Kaniko
       id: build_image
@@ -82,10 +80,14 @@ jobs:
       run: mv tmp-image.tar "${IMAGE_DESTINATION_PATH}"
       env:
         IMAGE_DESTINATION_PATH: ${{ inputs.image-destination-path }}
-  
+
     - name: Use crane to get the digest
       run: |
-        crane digest --tarball="${IMAGE_DESTINATION_PATH}" > image-digest.txt
+        docker run --rm \
+          -v "$GITHUB_WORKSPACE:/workspace" \
+          -w /workspace \
+          ghcr.io/l3montree-dev/devguard/scanner:main \
+          crane digest --tarball="${IMAGE_DESTINATION_PATH}" > image-digest.txt
       env:
         IMAGE_DESTINATION_PATH: ${{ inputs.image-destination-path }}
 
@@ -97,44 +99,55 @@ jobs:
         path: ${{ inputs.image-destination-path }}
       if: inputs.disable-artifact-registry-as-image-store == false
 
-    # Calculate a tag name
-    # If the image input is provided, use it as the tag
-    # If the workflow is triggered by a tag, use the tag as the tag
-    # Otherwise built GitOps compatible tags. Fallback to the branch name, commit hash, and timestamp. Those tags are sortable and  unique.
-    - name: Set IMAGE_TAG
+    - name: Set image tag
+      id: set-image-tag
+      env:
+        IMAGE_SUFFIX: ${{ inputs.image-suffix }}
+        IMAGE: ${{ inputs.image }}
       run: |
-        if [ "${IMAGE}" != "" ]; then
-          IMAGE_TAG="${IMAGE}"
-        elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
-          if [ "${IMAGE_SUFFIX}" != "" ]; then
-            IMAGE_TAG="ghcr.io/${{ github.repository }}/${IMAGE_SUFFIX}:${GITHUB_REF#refs/tags/}"  
+        if [ -n "$IMAGE" ]; then
+          IMAGE_TAG="$IMAGE"
+          echo "$IMAGE_TAG" > image-tag.txt
+          echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_ENV"
+        else
+          if [ -n "$IMAGE_SUFFIX" ]; then
+            IMAGE_PATH="ghcr.io/${GITHUB_REPOSITORY}/${IMAGE_SUFFIX}"
           else
-            IMAGE_TAG="ghcr.io/${{ github.repository }}:${GITHUB_REF#refs/tags/}"  
+            IMAGE_PATH="ghcr.io/${GITHUB_REPOSITORY}"
           fi
-
-        else
-          branch=${GITHUB_REF##*/}
-          sha=${GITHUB_SHA::8}
-          ts=$(date +%s)
-            if [ "${IMAGE_SUFFIX}" != "" ]; then
-              IMAGE_TAG="ghcr.io/${{ github.repository }}/${IMAGE_SUFFIX}:${branch}-${sha}-${ts}"
-            else
-              IMAGE_TAG="ghcr.io/${{ github.repository }}:${branch}-${sha}-${ts}"
-            fi
+          docker run --rm \
+            -e IMAGE_PATH \
+            -e GITHUB_REF_NAME \
+            ghcr.io/l3montree-dev/devguard/scanner:main \
+            devguard-scanner generate-tag \
+              --imagePath="$IMAGE_PATH" \
+              --ref="$GITHUB_REF_NAME" \
+          >> image-tag-env.txt
+          IMAGE_TAG=$(grep '^IMAGE_TAG=' image-tag-env.txt | cut -d= -f2-)
+          ARTIFACT_NAME=$(grep '^ARTIFACT_NAME=' image-tag-env.txt | cut -d= -f2-)
+          ARTIFACT_URL_ENCODED=$(grep '^ARTIFACT_URL_ENCODED=' image-tag-env.txt | cut -d= -f2-)
+          echo "$IMAGE_TAG" > image-tag.txt
+          echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_ENV"
+          echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> "$GITHUB_ENV"
+          echo "ARTIFACT_URL_ENCODED=$ARTIFACT_URL_ENCODED" >> "$GITHUB_ENV"
         fi
 
-        IMAGE_TAG=$(echo "$IMAGE_TAG" | tr '[:upper:]' '[:lower:]')
-        echo "$IMAGE_TAG" > image-tag.txt
-
-        # necessary for the kaniko job
-        echo "IMAGE_TAG=$(cat image-tag.txt)" >> $GITHUB_ENV
-      env:
-        IMAGE_SUFFIX: ${{ inputs.image-suffix }}  
-        IMAGE: ${{ inputs.image }}
+    - name: Log in to ghcr.io
+      run: |
+        docker run --rm \
+          -v "${HOME}/.docker:/tmp/.docker" \
+          ghcr.io/l3montree-dev/devguard/scanner:main \
+          crane auth login ghcr.io -u ${{ github.actor }} -p ${{ github.token }}
+      if: inputs.disable-artifact-registry-as-image-store == true
 
     - name: Upload to container registry
       run: |
-        crane push "${IMAGE_DESTINATION_PATH}" $(cat image-tag.txt)
+        docker run --rm \
+          -v "$GITHUB_WORKSPACE:/workspace" \
+          -w /workspace \
+          -v "${HOME}/.docker:/tmp/.docker:ro" \
+          ghcr.io/l3montree-dev/devguard/scanner:main \
+          crane push "${IMAGE_DESTINATION_PATH}" "$(cat image-tag.txt)"
       env:
         IMAGE_DESTINATION_PATH: ${{ inputs.image-destination-path }}
       if: inputs.disable-artifact-registry-as-image-store == true
@@ -146,43 +159,33 @@ jobs:
         name: image-digest${{ inputs.image-suffix }}
         path: image-digest.txt
 
-    - name: Set Artifact purl
+    - name: Set artifact PURL
       run: |
-        if [ -n "$ARTIFACT_NAME" ]; then
-          PURL="$ARTIFACT_NAME"
+        if [ -n "$ARTIFACT_NAME_INPUT" ]; then
+          PURL="$ARTIFACT_NAME_INPUT"
+          SAFE_PURL=$(echo -n "$PURL" | jq -s -R -r @uri)
         else
-          IMAGE_TAG=$(cat image-tag.txt)
-          REGISTRY_AND_IMAGE=${IMAGE_TAG%:*}
-          VERSION=${IMAGE_TAG##*:}
-          NAMESPACE_AND_NAME=${REGISTRY_AND_IMAGE#*/}
-          NAME=${NAMESPACE_AND_NAME##*/}
-          REPOSITORY_URL="$REGISTRY_AND_IMAGE"
-          PURL="pkg:oci/$NAME?repository_url=$REPOSITORY_URL"
+          PURL="$ARTIFACT_NAME"
+          SAFE_PURL="$ARTIFACT_URL_ENCODED"
         fi
-
         echo "$PURL" > artifact-purl.txt
+        echo "$SAFE_PURL" > artifact-purl-safe.txt
         echo "PURL=$PURL" >> $GITHUB_ENV
         echo "Using artifact name: $PURL"
       env:
-        ARTIFACT_NAME: ${{ inputs.artifact-name }}
+        ARTIFACT_NAME_INPUT: ${{ inputs.artifact-name }}
 
     - name: Upload artifact purl
       uses: actions/upload-artifact@v4
       with:
         name: artifact-purl${{ inputs.image-suffix }}
         path: artifact-purl.txt
 
-    - name: create safe purl
-      run: |
-        SAFE_PURL=$(echo -n "$PURL" | jq -s -R -r @uri)
-        echo "$SAFE_PURL" > artifact-purl-safe.txt
-        echo "Safe artifact name: $SAFE_PURL"
-
     - name: Upload safe artifact purl
       uses: actions/upload-artifact@v4
       with:
         name: artifact-purl-safe${{ inputs.image-suffix }}
-        path: artifact-purl-safe.txt    
+        path: artifact-purl-safe.txt
 
     # Upload the calculated image tag as an artifact
     - name: Upload image tag
@@ -192,11 +195,11 @@ jobs:
         path: image-tag.txt
 
     - name: In-Toto Provenance record stop
-      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
+      uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main
       with:
         args: devguard-scanner intoto stop --step=build --products=image-digest.txt --products=image-tag.txt --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} --generateSlsaProvenance
       continue-on-error: true
-      
+
     - name: Upload SLSA Provenance
       uses: actions/upload-artifact@v4
       with: