enable fips140 builds (#1952)

motatoes · web-flow · commit 91d39e1401de · 2025-05-20T12:00:34.000-07:00
* enable fips140 builds

* fix

* support fips in gha

* fix build stage

* add docs
diff --git a/.github/workflows/ee_backend_docker_release.yml b/.github/workflows/ee_backend_docker_release.yml
@@ -45,3 +45,5 @@ jobs:
           push: true
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest, ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
           labels: ${{ steps.meta.outputs.labels }}
+
+            
diff --git a/.github/workflows/ee_backend_docker_release_fips.yml b/.github/workflows/ee_backend_docker_release_fips.yml
@@ -0,0 +1,51 @@
+---
+name: EE Backend Publish docker image
+
+"on":
+  release:
+    types:
+      - 'released'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}_backend_ee_fips
+
+jobs:
+  build-and-push-image:
+    if: (startswith(github.event.release.tag_name, 'v'))
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5.3.0
+        with:
+          context: .
+          file: "Dockerfile_backend_ee"
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest, ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            GODEBUG_VALUE=fips140=only
+            GOFIPS140_VALUE=v1.0.0            
+            
diff --git a/.github/workflows/ee_cli_release_fips.yml b/.github/workflows/ee_cli_release_fips.yml
@@ -0,0 +1,43 @@
+---
+name: release ee cli
+
+"on":
+  release:
+    branches:
+      - 'go'
+    types:
+      - 'released'
+
+jobs:
+  binary:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.24.0
+        id: go
+
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Publish linux-x64 exec to github
+        id: build-and-release-binary
+        uses: wangyoucao577/go-release-action@8fa1e8368c8465264d64e0198208e10f71474c87  # v1.50
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          goos: linux
+          goarch: amd64
+          goversion: 1.24.0
+          project_path: ./ee/cli/cmd/digger
+          binary_name: digger
+          pre_command: export CGO_ENABLED=0
+          sha256sum: true
+          md5sum: false
+          asset_name: "digger-ee-cli-Linux-X64-fips"
+          compress_assets: "OFF"
+        env:
+          GODEBUG: fips140=only
+          GOFIPS140: v1.0.0
+
diff --git a/Dockerfile_backend_ee b/Dockerfile_backend_ee
@@ -20,8 +20,16 @@ RUN go build -ldflags="-X 'main.Version=${COMMIT_SHA}'" -o backend_exe ./ee/back
 
 # Multi-stage build will just copy the binary to an alpine image.
 FROM ubuntu:24.04 as runner
-ENV ATLAS_VERSION v0.31.0
+
 ARG COMMIT_SHA
+ARG GODEBUG_VALUE=off
+ARG GOFIPS140_VALUE=off
+
+# Set environment variables using the build arguments
+ENV GODEBUG=$GODEBUG_VALUE
+ENV GOFIPS140=$GOFIPS140_VALUE
+ENV ATLAS_VERSION v0.31.0
+
 WORKDIR /app
 
 RUN apt-get update && apt-get install -y ca-certificates curl && apt-get install -y git && apt-get clean all
diff --git a/action.yml b/action.yml
@@ -8,6 +8,10 @@ inputs:
     description: use ee cli?
     required: false
     default: 'false'
+  fips:
+    description: build with fips140 standard?
+    required: false
+    default: 'false'
   setup-aws:
     description: Setup AWS
     required: false
@@ -427,6 +431,10 @@ runs:
           else
             cd $GITHUB_ACTION_PATH/cli
           fi
+          if [[ ${{ inputs.fips }} == "true" ]]; then
+            export GODEBUG=fips140=only
+            export GOFIPS140=v1.0.0
+          fi        
           go build -o digger ./cmd/digger
           chmod +x digger
           PATH=$PATH:$(pwd)
@@ -467,7 +475,11 @@ runs:
       shell: bash
       run: |
         if [[ ${{ inputs.ee }} == "true" ]]; then
-          curl -sL https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }} -o digger
+          if [[ ${{ inputs.fips }} == "true" ]]; then
+            curl -sL https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips -o digger
+          else
+            curl -sL https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }} -o digger
+          fi
         else
           curl -sL https://github.com/diggerhq/digger/releases/download/${actionref}/digger-cli-${{ runner.os }}-${{ runner.arch }} -o digger
         fi
diff --git a/cli/cmd/digger/default.go b/cli/cmd/digger/default.go
@@ -19,6 +19,7 @@ import (
 )
 
 func initLogger() {
+
 	logLevel := os.Getenv("DIGGER_LOG_LEVEL")
 	var level slog.Leveler
 	if logLevel == "DEBUG" {
diff --git a/docs/ee/fips-140.mdx b/docs/ee/fips-140.mdx
@@ -0,0 +1,19 @@
+---
+title: "FIPS 140 build"
+---
+
+You can use digger binary with FIPS140 standard. FIPS 140 (Federal Information Processing Standard Publication 140) is a U.S. government standard that specifies security requirements for cryptographic modules protecting sensitive information.
+
+as of version v0.6.101 digger backend and cli are both compiled seperately with FIPS140 enabled. In order to enable it for github follow these steps:
+
+- For the backend you need to ensure you use the right docker image: `_backend_ee_fips` during the pull
+- For the cli you need to add the following argument in addition to `ee: true` :
+
+```
+    - diggerhq/digger@vLatest
+      with:
+         ee: 'true'
+         fips: 'true'
+```
+
+If you are using gitlab or other VCS then just ensure that you are downloading the fips enabled binary which is suffixed with '_fips'
diff --git a/ee/backend/main.go b/ee/backend/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/fips140"
 	"embed"
 	"fmt"
 	"github.com/diggerhq/digger/backend/bootstrap"
@@ -31,6 +32,8 @@ func main() {
 		log.Printf("error checking license %v", err)
 		os.Exit(1)
 	}
+
+	log.Printf("fips140 enabled: %v", fips140.Enabled())
 	githubProvider := github.DiggerGithubEEClientProvider{}
 	diggerController := ce_controllers.DiggerController{
 		CiBackendProvider:                  ci_backends2.EEBackendProvider{},
diff --git a/ee/cli/cmd/digger/default.go b/ee/cli/cmd/digger/default.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/fips140"
 	"encoding/json"
 	"fmt"
 	"github.com/diggerhq/digger/cli/pkg/digger"
@@ -24,8 +25,8 @@ import (
 var defaultCmd = &cobra.Command{
 	Use: "default",
 	Run: func(cmd *cobra.Command, args []string) {
-
 		specStr := os.Getenv("DIGGER_RUN_SPEC")
+		log.Printf("Fips140 enabled in build: %v", fips140.Enabled())
 		if specStr != "" {
 			var spec lib_spec.Spec
 			err := json.Unmarshal([]byte(specStr), &spec)

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ import (`
`19`	`19`	`)`
`20`	`20`
`21`	`21`	`func initLogger() {`
	`22`	`+`
`22`	`23`	`logLevel := os.Getenv("DIGGER_LOG_LEVEL")`
`23`	`24`	`var level slog.Leveler`
`24`	`25`	`if logLevel == "DEBUG" {`