From d6235d8f791d6b5223aacc0f556cf656798b5c7e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 26 Aug 2023 17:06:26 +0000
Subject: [PATCH 01/13] Build(deps): Bump dotnet/aspnet in /src/docker

Bumps dotnet/aspnet from `d9c46e7` to `29b8cf3`.

---
updated-dependencies:
- dependency-name: dotnet/aspnet
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 src/docker/Dockerfile-bookworm | 2 +-
 src/docker/Dockerfile-bullseye | 2 +-
 src/docker/Dockerfile-jammy    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/docker/Dockerfile-bookworm b/src/docker/Dockerfile-bookworm
index 30d38ee6..0abc9fa5 100644
--- a/src/docker/Dockerfile-bookworm
+++ b/src/docker/Dockerfile-bookworm
@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/dotnet/aspnet:6.0-bookworm-slim@sha256:d9c46e7265ab5dacd41ab10253da89639afe63db10265912bfd779395ea5ad02 as base
+FROM mcr.microsoft.com/dotnet/aspnet:6.0-bookworm-slim@sha256:29b8cf3908e4aff3e442411c52d0074a3f5963828c4a68902284f8f88beedcb3 as base
 
 # Force apt-get to not use TTY
 ENV DEBIAN_FRONTEND noninteractive
diff --git a/src/docker/Dockerfile-bullseye b/src/docker/Dockerfile-bullseye
index 7b8064c0..a255db6a 100644
--- a/src/docker/Dockerfile-bullseye
+++ b/src/docker/Dockerfile-bullseye
@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim@sha256:39f2c3efb84d744c63f43ee1c206d560d67444858e9622a9c5db93d5ef221dc8 as base
+FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim@sha256:ea55e44e473d0937e5b2f197954b54810c58f95067f3ea5bcedf0b43190f86d8 as base
 
 # Force apt-get to not use TTY
 ENV DEBIAN_FRONTEND noninteractive
diff --git a/src/docker/Dockerfile-jammy b/src/docker/Dockerfile-jammy
index e91b8c2e..f9af8819 100644
--- a/src/docker/Dockerfile-jammy
+++ b/src/docker/Dockerfile-jammy
@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/dotnet/aspnet:6.0-jammy@sha256:3bfa991099be226f693d2537507ccd1435c672d29d9f92f81f75e7d32df874d3 as base
+FROM mcr.microsoft.com/dotnet/aspnet:6.0-jammy@sha256:9788d76fb41015337d61a2b2ef450d6b90c7793730aa0d4c2eab02ec66e05607 as base
 
 # Force apt-get to not use TTY
 ENV DEBIAN_FRONTEND noninteractive

From 1664939c047c7936e18fc9efb2ef41447eed2ace Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 28 Aug 2023 09:47:18 +0000
Subject: [PATCH 02/13] Build(deps): Bump docker/setup-buildx-action from 2.9.1
 to 2.10.0

Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.9.1 to 2.10.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v2.9.1...v2.10.0)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/pipeline.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index 51e88649..d65f7533 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -280,7 +280,7 @@ jobs:
           platforms: ${{ matrix.arch }}
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v2.9.1
+        uses: docker/setup-buildx-action@v2.10.0
         with:
           version: v${{ env.BUILDX_VERSION }}
           driver-opts: |

From b1c9239a22d52b4bd7cdb8af788b53f03c580894 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 29 Aug 2023 10:00:18 +0000
Subject: [PATCH 03/13] Build(deps): Bump github/codeql-action from 2.21.4 to
 2.21.5

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.4 to 2.21.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2.21.4...v2.21.5)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/pipeline.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index 51e88649..fe2baf32 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -170,7 +170,7 @@ jobs:
               snyk.sarif
 
       - name: Upload results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v2.21.4
+        uses: github/codeql-action/upload-sarif@v2.21.5
         with:
           sarif_file: merged.sarif
 
@@ -405,7 +405,7 @@ jobs:
               snyk-*.sarif
 
       - name: Upload results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v2.21.4
+        uses: github/codeql-action/upload-sarif@v2.21.5
         with:
           sarif_file: merged.sarif
 
@@ -579,7 +579,7 @@ jobs:
             ${{ steps.tag.outputs.tag }}
 
       - name: Upload results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v2.21.4
+        uses: github/codeql-action/upload-sarif@v2.21.5
         with:
           sarif_file: snyk.sarif
 
@@ -600,7 +600,7 @@ jobs:
         run: semgrep ci --sarif --output=semgrep.sarif
 
       - name: Upload results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v2.21.4
+        uses: github/codeql-action/upload-sarif@v2.21.5
         with:
           sarif_file: semgrep.sarif
 

From 736883ba2f9c131fa0c1bba075d379b8f4e082d2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 29 Aug 2023 10:00:24 +0000
Subject: [PATCH 04/13] Build(deps): Bump trufflesecurity/trufflehog from
 3.53.0 to 3.54.0

Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.53.0 to 3.54.0.
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Changelog](https://github.com/trufflesecurity/trufflehog/blob/main/.goreleaser.yml)
- [Commits](https://github.com/trufflesecurity/trufflehog/compare/v3.53.0...v3.54.0)

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/pipeline.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index 51e88649..5cd58dcd 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -79,7 +79,7 @@ jobs:
           submodules: recursive
 
       - name: SAST - Credentials
-        uses: trufflesecurity/trufflehog@v3.53.0
+        uses: trufflesecurity/trufflehog@v3.54.0
         with:
           base: ${{ github.event.repository.default_branch }}
           head: HEAD

From f71c00e78d01f91478ecd855bbc1e55cb13f2d75 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 31 Aug 2023 09:38:05 +0000
Subject: [PATCH 05/13] Build(deps): Bump trufflesecurity/trufflehog from
 3.54.0 to 3.54.1

Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.54.0 to 3.54.1.
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Changelog](https://github.com/trufflesecurity/trufflehog/blob/main/.goreleaser.yml)
- [Commits](https://github.com/trufflesecurity/trufflehog/compare/v3.54.0...v3.54.1)

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/pipeline.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index 3ce29bb6..c84bd068 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -79,7 +79,7 @@ jobs:
           submodules: recursive
 
       - name: SAST - Credentials
-        uses: trufflesecurity/trufflehog@v3.54.0
+        uses: trufflesecurity/trufflehog@v3.54.1
         with:
           base: ${{ github.event.repository.default_branch }}
           head: HEAD

From 124ab172007801ae4781217d350cc511f9630d0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= <clemence@lesne.pro>
Date: Fri, 1 Sep 2023 17:31:50 +0200
Subject: [PATCH 06/13] Security: Sign containers with Cosign

---
 .github/workflows/pipeline.yaml | 45 +++++++++++++++++++++++++++++++--
 SECURITY.md                     |  5 +++-
 cosign.pub                      |  4 +++
 3 files changed, 51 insertions(+), 3 deletions(-)
 create mode 100644 cosign.pub

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index c84bd068..eb0bde6f 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -20,6 +20,8 @@ env:
   CONTAINER_NAME: ${{ github.repository }}
   CONTAINER_REGISTRY_GHCR: ghcr.io
   CONTAINER_REGISTRY_DOCKER_HUB: docker.io
+  # https://github.com/sigstore/cosign/releases
+  COSIGN_VERSION: 2.2.0
   # https://npmjs.com/package/@microsoft/sarif-multitool?activeTab=versions
   SARIF_MULTITOOL_VERSION: 4.3.0
   # https://npmjs.com/package/snyk?activeTab=versions
@@ -292,6 +294,11 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
 
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@v3.1.1
+        with:
+          cosign-release: v${{ env.COSIGN_VERSION }}
+
       - name: Login to registry - GitHub
         uses: docker/login-action@v2.2.0
         with:
@@ -376,7 +383,21 @@ jobs:
           sbom: true
           tags: ${{ steps.meta.outputs.tags }}
 
-      - name: Run SAST Snyk on container image
+      - name: Sign containers
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          while IFS= read -r tag; do
+            echo "Signing $tag..."
+            cosign sign \
+              --key="env://COSIGN_PRIVATE_KEY" \
+              --recursive \
+              --yes \
+              $tag
+          done <<< "${{ steps.meta.outputs.tags }}"
+
+      - name: Run SAST Snyk against containers
         # Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security
         continue-on-error: true
         env:
@@ -444,6 +465,11 @@ jobs:
           echo "version=$(powershell cicd/version/version.ps1 -g . -c)" >> $Env:GITHUB_OUTPUT
           echo "version_full=$(powershell cicd/version/version.ps1 -g . -c -m)" >> $Env:GITHUB_OUTPUT
 
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@v3.1.1
+        with:
+          cosign-release: v${{ env.COSIGN_VERSION }}
+
       - name: Login to registry - GitHub
         uses: docker/login-action@v2.2.0
         with:
@@ -565,7 +591,22 @@ jobs:
             docker push --quiet $tag
           }
 
-      - name: Run SAST Snyk on container image
+      - name: Sign containers
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          $tags = ('${{ steps.meta.outputs.tags }}').Split([Environment]::NewLine)
+          foreach ($tag in $tags) {
+            Write-Host "Signing $tag..."
+            cosign sign `
+              --key="env://COSIGN_PRIVATE_KEY" `
+              --recursive `
+              --yes `
+              $tag
+          }
+
+      - name: Run SAST Snyk against containers
         # Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security
         continue-on-error: true
         env:
diff --git a/SECURITY.md b/SECURITY.md
index eee636fb..ea3537da 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -24,7 +24,10 @@ If you think you have found a vulnerability, please do not open an issue on GitH
 
 ## Chain of trust
 
-The Helm chart is signed with a GPG key. [The public key is available on Keybase at the following address.](https://keybase.io/clemlesne/pgp_keys.asc)
+Both the containers and the Helm chart are signed:
+
+- Containers are signed with Cosign, public keys are available at [`cosign.pub`](cosign.pub) at the root of the repository.
+- Helm chart is signed with a GPG key. [The public key is available on Keybase at the following address.](https://keybase.io/clemlesne/pgp_keys.asc)
 
 ## Reliability notes
 
diff --git a/cosign.pub b/cosign.pub
new file mode 100644
index 00000000..e06e9de8
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERbXillF9UqyNmGEffSXiEQAlgiKp
+RJFDQRRbnqpfDYbJRAPHwDM/g13P0WOmY079JUl5tdMAoew6XK602u952Q==
+-----END PUBLIC KEY-----

From 56c216049828e0c32bf75d61dffbdfc3c63ae554 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= <clemence@lesne.pro>
Date: Fri, 1 Sep 2023 17:55:33 +0200
Subject: [PATCH 07/13] Security: Enhance SARIF file generation

---
 .github/workflows/pipeline.yaml | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index c84bd068..e768be46 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -163,11 +163,12 @@ jobs:
       # See: https://github.com/github/codeql-action/issues/220
       - name: Merge SARIF files
         run: |
-          npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} \
-            merge \
-              --merge-runs \
-              --output-file merged.sarif \
-              snyk.sarif
+          npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} merge \
+            --automation-id ${{ github.run_id }} \
+            --merge-empty-logs \
+            --merge-runs \
+            --output-file merged.sarif \
+            snyk.sarif
 
       - name: Upload results to GitHub Security
         uses: github/codeql-action/upload-sarif@v2.21.5
@@ -397,12 +398,12 @@ jobs:
       # See: https://github.com/github/codeql-action/issues/220
       - name: Merge SARIF files
         run: |
-          npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} \
-            merge \
-              --merge-runs \
-              --output-file merged.sarif \
-              --recurse true \
-              snyk-*.sarif
+          npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} merge \
+            --automation-id ${{ github.run_id }} \
+            --merge-empty-logs \
+            --merge-runs \
+            --output-file merged.sarif \
+            *.sarif
 
       - name: Upload results to GitHub Security
         uses: github/codeql-action/upload-sarif@v2.21.5

From 0cfce3c709c9554692dd801baafd67942399df44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= <clemence@lesne.pro>
Date: Fri, 1 Sep 2023 17:47:54 +0200
Subject: [PATCH 08/13] Dev: Enhance logging

---
 .github/workflows/pipeline.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index e768be46..bc13d78e 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -118,7 +118,7 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
 
-      - name: Prepare GPG key for Helm chart
+      - name: Prepare GPG key
         run: |
           echo "${{ secrets.GPG_KEYRING }}" | gpg --dearmor > keyring.gpg
 
@@ -394,8 +394,6 @@ jobs:
               ${{ steps.tag.outputs.tag }}
           done
 
-      # Fix issue "Error: Code Scanning could not process the submitted SARIF file: rejecting SARIF, as there are more runs than allowed (XX > 20)"
-      # See: https://github.com/github/codeql-action/issues/220
       - name: Merge SARIF files
         run: |
           npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} merge \
@@ -554,7 +552,7 @@ jobs:
 
           Write-Host "Pulling cache images:"
           foreach ($tag in $tags) {
-            Write-Host "  $tag"
+            Write-Host " $tag"
             docker pull --quiet $tag || true
           }
 

From ce575f1345ebf7cba1356b19653664f578f0c573 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= <clemence@lesne.pro>
Date: Fri, 1 Sep 2023 17:48:25 +0200
Subject: [PATCH 09/13] Dev: Harmonise Node versions across Linux and Windows
 builders

---
 .github/workflows/pipeline.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index bc13d78e..a42ab664 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -443,6 +443,12 @@ jobs:
           echo "version=$(powershell cicd/version/version.ps1 -g . -c)" >> $Env:GITHUB_OUTPUT
           echo "version_full=$(powershell cicd/version/version.ps1 -g . -c -m)" >> $Env:GITHUB_OUTPUT
 
+      # Required for running "npx" CLI
+      - name: Setup Node
+        uses: actions/setup-node@v3.8.1
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
       - name: Login to registry - GitHub
         uses: docker/login-action@v2.2.0
         with:

From ad7f058afdde5d72328f483f50782ba492440c2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= <clemence@lesne.pro>
Date: Fri, 1 Sep 2023 18:26:05 +0200
Subject: [PATCH 10/13] Doc: Way to verify binary signatures

---
 SECURITY.md |  27 +++++++++++++++++++++++++--
 pubring.gpg | Bin 0 -> 4088 bytes
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 pubring.gpg

diff --git a/SECURITY.md b/SECURITY.md
index ea3537da..9601286e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -26,8 +26,31 @@ If you think you have found a vulnerability, please do not open an issue on GitH
 
 Both the containers and the Helm chart are signed:
 
-- Containers are signed with Cosign, public keys are available at [`cosign.pub`](cosign.pub) at the root of the repository.
-- Helm chart is signed with a GPG key. [The public key is available on Keybase at the following address.](https://keybase.io/clemlesne/pgp_keys.asc)
+### Containers
+
+Containers are signed with Cosign, public key is available in [`cosign.pub`](cosign.pub) at the root of the repository.
+
+```bash
+# Example of verification
+❯ cosign verify --key cosign.pub ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main
+Verification for ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+```
+
+### Helm chart
+
+Helm chart is signed with a GPG key, public key is [available on Keybase](https://keybase.io/clemlesne/pgp_keys.asc) and in [`pubring.gpg`](pubring.gpg) at the root of the repository.
+
+```bash
+# Example of verification
+❯ helm fetch --keyring pubring.gpg --verify clemlesne-azure-pipelines-agent/azure-pipelines-agent --version 5.0.0
+Signed by: Clémence Lesné <clemence@lesne.pro>
+Using Key With Fingerprint: 417E701DBC66834CA752C920460D072B9C032DFD
+Chart Hash Verified: sha256:1c23e22cffc132ce12489480d139b59e97b3cb49ff1599a4ae11fb5c317c1e64
+```
 
 ## Reliability notes
 
diff --git a/pubring.gpg b/pubring.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..43c3ecb2e85144556192d1a7e7f721e5d0b74fbb
GIT binary patch
literal 4088
zcmb`KXE+-Q`^F;?5;Lg1M;oJ7?F6+|jiO={m6q7C_uivco0c{)YL~WZ1f{m(XpP#X
z%0a63rZ)e+=YO5+ykE|@_v?K<AAi^Hz8^f0mfS(K5JCn6ye?ahe}&iFMp*<ZXIj60
z(o-j!qBvWeb~K03M0+299Xw%`N;FW1I(%TiyL5)Xu+x#1!tTCI%{+-iC_1oXzOvRG
zW(Uvcb4^=_uQmw#poE`LAPjf5I=H?NZHytexdp}BD6Jnklag<)znlXFt(B1}!c|At
zCaZ(%3O~xD-sh7T5KaKpN3L{G6KtL!s~sma?q0vmWc%#fY^XEQsmSH=MWgRj@j&ql
zlBUvV+G-hfO<biDM?nKS9yaWU|C)s86gx=g8c}^rI4GdYj&$9X+$ZR8@smtVS$A%s
zOef7P$RT)8pSU`WT!+t~zbsgO72DPv??-v{nvtli_B0YDQS5$sQ?rd=q<Q7}>rNKR
zo>N;HG*bVy9ZsrPh?kAvT?AfnA9KqM3t+<9Q+0G{rFSUjqKX8M9wtcN6sYpp@V`Hj
ze~_KaepZoF*3jLL8}Cc8xOiAV&Pp+NuFFs4bAdVXcQ)BIMrK!1bWz`18rX-Lfst8i
zooW7|PU=6Dooupi3a>b>(_S0C`7M{#%(-Wk+Jo~biZy2<bpyP#MrJC9tr(+s96KIe
z(TpJ0dYd1jx`YneuuIuCZ1B#&vYW}2-LAu0aRR0}!74gK@(PuzcNSUZCb%BF3drTa
z;eO7FYLR5kJxT^;#c&Pb;-PGumoDShk?H^jG5}evq^A4FaxBKf9>ZsV@%8vv&Zlhe
zj`=H)aQ_`()UYo0KAygwj(!sMo><jnpdL9B83Z5$<OH$sldDH~aW^~08oV<7#HT|`
zDV75gKL-OHl+V<_)Ra&V5X=mr0)jv+WI!MfIe-cZ`}=5Uo&M5o#-bnlUTnlieNsPI
zwgc_NzE`?<>>VIrJx<8SUN9C$d-_!)tGx+qqPj<A{U5PJxYu0aTXnEN2+4VF*%zIQ
zpQ2~PS;{9Q=EY2nO}$c81TaY+2RL(_S~44~g4uFs&!X+jkI%P+D(!T7D7sNDdbT&a
zwl#?9;Ns+u!rCHdw@Vr}J=1+K?awD-Q}@aZPHVW-t|q@9GSUU=6aCjtm6Q0`F%Er{
zT03-yiV%Xf_#<zzsO5!I*D<3{D?%k2w4Qc!rC}cLm~*bEM{Npm$HERA9HIdX!N=$z
z7STe&#E(xb=;umGz#e*hOF81fMP=!*t}+xeaTxm6VWPP^P_7<Rf59D=XoyZfev)dS
zw<{~EIuwQhCD-G#45#g91N-6%r(WC$_YS3U<lfO9+F~#cJCAl)4my_DL&K&I#kZ&z
zn|WtE+TVCB40rzl6)eQLqRbnV*knDT<(?j|-iP0Jj&i?zzL?4OWehptTwitg;%U_E
zvWP?(#!M<XRoY~__jol{skxj7(1W?fV&mLbn<RfP`OQ1)A)8fb1eUTzb=g!)$f71w
zam%XPp$C<<tFjWy9m|mLZY45+u`=mpk}d_(sx8HK(@LCUbS=7}B-5)INqpu&Mi0`H
zuzB62I7qdtFnkdGU}eLHmz$>tFbVf?x5kpZYOnq~d}@EeC*kGe`9DMMK$HGL9?`11
zjy(5rw7dH&m@={D4{3LRx4-9~)g3>@*oZ$2IXj;RGX^tGg~(Rj4hTyXkrUOKByNe{
zldw%iw3@2Xl47QD2b!nOH<Uv*e)SvNrXYJ_zX;Sz#UTq2hl;jbDi=vRS5*-vFBgUc
zi*$)oOl7Tm{#t;-yy+xW(<*-v9kUG{O(wzWWD2WfE1a+7=er9~`~h7)mzQ~wVV3B|
zpE2+59D&-DThPT-3t*2pba0?<@HW5+jdktZO|ZKbW9KZ^<}GRdY*QKWwMu`{;pI4}
zLlGIipu_@mXnkxKSgQ%SN|1SVm)qFqbVVF+fs?#^>B<0u3ur-V%B`rNo`3{MAj=Aa
zb_@grdDL_oQY-wEL2+}^)AAaOL|}Gjnp28d!=hE1Yh*U9^l+2Nqo5CT0h>}T4Z0U@
zbeT?zpT1Y0F(}|p?AEp!Q^L1y{h)SbG_Hf*h<f^cRq4ZRNri7pgC3HILZ1x<Z++TY
zeVJ=><rtI(<8=N8MVesG-e&Aa54Z4P$y<Y&%q11$TIa!0q6@u0qQc|d&l{NKvhoRI
z#T?%W#NIU2odxlxG>;y$b_)nMWKbacBoOULlf2dHw>VGpCe+~`t#AFoq}x0}f#D(~
z5+d7n&8v+Pj5xlp_(AV6cr;(aNI{6R59`R4d1Pf`JViVjdYW1b|J!c=0QQgZ{>gqr
zCr>W*+jD&XE;-Rs2_QG%zoj-;{99@o)2{^f2MY`Q9uOpjxAnfQ=rxVa-MPcG^pSyV
zP-4UC`P-Xmr~X@BF;y`T7Kyo%&-=SHi*<Yhr_YG{8H^&I$>vUGv$k*0Py6lT$HX|n
zbi9L$-t-Yjse+xLuTk-d-Fai0A}jcjqQ_HQL}He!T6_o-P=Lgl8yh6&B!Lio)?Dv*
z8F6NVr{_?AN`*4pqoy?bsZ9*SHqffPu!@c8V&Qo|6`Aj!N)WVZ$(yBB7AMOI0AKgn
z_F2qDyBTjAWrTnC5?|{wE*bA%5bW(ZF{8=ai|wH_Mr+eL_S+*kvSK5X&7e&-ypu}^
z%FyH_c8|f5zF(-%R?%cB9$@Z+UhQ28b`guQ5g$G>$+M1t8uS<3K2J<&LxCxLaJidc
z^N?<R?$spA^~IKVSDXJBL8p94UsDrA5vuS?(`|NNb(kj|#RfVl`5#$E-B4G#9)!`&
z$i0<4pSEB19sU|yDUCeLta8jh+3UXsXJwp`3bv#=8;`E>GB1p6dLrYPGBOnlOMq4+
zm@ZfGtg|j(w#0jtFO*gF7<FbuP5)Z>Sbx~S7eYyW&XI#Ih!~Q=sJ6p4hj11MsXH8C
z4vwtlwq8UbRcq<q6jyqyhp~1ITk7so!&O&ghIKpm%RM9u4l)*dhgkR|VOl%bGOs#i
zd1I>f;wk#u&wDyGS4xwCx5;6@!BGXr{AXy9Q$r~s(8qt*9_V);lCuDSWI%Q@U^WQI
zL-sFx0RS5`FhGGG-4BXyY2L-}F=9ZA0M0BVszF030dkr%c8=nI+${Jy>~M64j-Qpp
z^_F;KLW{1L=N>A3Q&07J=Tk&fr@A!9P`^j4f@eojpbQ-zY01b}wE^FEr_u<wcF&l5
zXuTrnyVpeDzJAK4>1)5UWS%M_o%bXXXr|R(%%64Ql+j2rEzzr3QSf=a=p8`PDKBbi
zyMsQ3W=cxaTVU_5h`R!!uH|7LY<;wDM2vFmZMOQl*l6_N*vhQ1f<P{nbYuItdKqh}
zQv$XKT*|v5xsDZed_iI)Cg`w&MIY(%?*_klEmFn{N=YPH*13c}59=L=8>t=vxv~Ih
zdrjdS=W%83EQpE$T<=@K%M<3%18CtKNyOQCkz0EHLke^uTsqJzaQiI#k8btE$Xt%B
zdM3B?Q_xBUfsNfBA~bWKS`>;#2jtMZsowBckGk^Ekj`N+r;i3%!Xo}4C|Y|w=R8pL
z2VWtVAd5nwnaWYP-PPc{bwTP!j9oJ}vi$wvo(!*1=@+3ztv53RCf>EEqh7)b#Kzc}
z-m<P2yl<x8LE4y~LVHQecS9{r8H|=10dYB_LqFzB2sE0~(zRb`qr(hr64CB%(pv?3
z1uUN?cyhCz3jac@h__2?uEelyaowMaU=vGD%%V>}oXtzcT?=_xDDGXnnVm<|Y%8NC
zW7hc3TrX+&mNt*DpuQp6vHig|3q$+HQ2ma)ZrKn%=DOc}dSmjcgsG8wp!K(bxo^rR
z1JBFo;w|e9WMLi|eu8xQHL003k@8*P8?+fz;}I(Wo{6K{O|}&s<)oi7*Vam&@Gu!L
z^G<QZ)$U^|d0ttYJn8zREFb1B@RcU2^ADTZuL^}Q5_(~mr=gL5I_v}X=qKGy)7&nZ
z|M8C^kYl6TfR1)`Kl7#mTv-BejN0ENoE88_$3smwld4USw$2o_-SyBBsMSxz$bfvc
z=#jz*bBD$u&xV;BEkzBJ@NLklU&~V_I|J{x@o;q|W|sje`fvGS?T=46HCUzB6u_&X
zbw#`|KJf*x(gv036sWxTlktUN<ETdKaN|Yq=bpOLYb1d;c6m6iGhM59CK1QZev>}Q
z<i?@5v15?U(uht7m%fU?pL;UxB!$ntF4SF{Y`M3VwrQNdCn*%VtPWfFuNfW#FA$VW
zDEq>#P~&n5<NUb(uC5Cqyt{^N^}())_m=in9QT(a4$4S5%8q+d+e3xd?{oY-A3)}5
z!u{-bw7qbV8wJ10=(5Z5-23!AdpEjFQb(_MP5`(q!Ve-8Q&8Yvq!+Aaq;lh9CjVJi
zA=*024i1+zo;1XR56&v{8U5Vm`l^n((TA5h-)ju~bVGLRrJ5?rTAR1bVPhU2Nn3x-
z_5ZXI+i$su{=Z!Q@d_}T=3hmU*$o3E#TmMa_1GHJ>=WHF0|}=-_!9_XD1MefkCSX7
zPk*>Rd55*X^xpC<r;-mYzyCltTmgVn>p;1qS_3dcFLwV~a7|^3^F#ReL~Z<2Gu?0b
zwO(taSMvBEU0B2brB?f!wK@!U@9gmLNPz}p>!$BB;|YoEryj@2qL*Ert^?37A<j9L
z-nQ(iUJETPFZ*!()7=vcrwNrSHxMf8kx<H)96P4U)%F$k5wXm1`;how!_Cm{pelFv
zs3t!nhqJMsEF!PDJNnV~x=&7~2kgtmX#$g9Nu4kQZPO!crZK!!;Mj7lsO86>E(A0+
zpB5o@)S%pvY(9MgmfK~MZG0#@@x_IIo^<6-?v#9l^*%>wr0IKL1BWbRej>&uoeEwZ
zfnAwwj?65HNT}|cXSr{X(J0r|`zZ`i7I?!m=ylErSHm<zZHtmbPY_aNmioS-oqo9E
zPUvT$VcK-efOCl)dNlU5%86_yB$X}<$HF1w3m-Z&`=uebC2+UknCAP3wzoy9Effmz
zt>g7C<W%5@-NN-N7UPph38oU=oGHZ(o*8f*4d|1Jj|gK+vO|B&$U??I(E2tp)tL@y
zQK?~jJ)~OGm%ESUPNa|BEl1uN*IrI<3(yRm(K?(#`|+;H#hfRw63ELLPBq-vt{r*&
U##m-~4UtvhpvL^l^|Ist07VOOGXMYp

literal 0
HcmV?d00001


From 1af6fa05591fe911cac8795f9187554cb5656180 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= <clemence@lesne.pro>
Date: Fri, 1 Sep 2023 18:53:24 +0200
Subject: [PATCH 11/13] Security: Add Cosign for Helm chart

---
 .github/workflows/pipeline.yaml | 16 ++++++++++++++++
 SECURITY.md                     | 17 +++++++++++++----
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index 33ada608..45e3948b 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -120,6 +120,11 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
 
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@v3.1.1
+        with:
+          cosign-release: v${{ env.COSIGN_VERSION }}
+
       - name: Prepare GPG key
         run: |
           echo "${{ secrets.GPG_KEYRING }}" | gpg --dearmor > keyring.gpg
@@ -137,6 +142,17 @@ jobs:
             --version ${{ steps.version.outputs.version }} \
             src/helm/azure-pipelines-agent
 
+      - name: Sign Helm chart
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          cosign sign-blob \
+            --bundle .cr-release-packages/azure-pipelines-agent-${{ steps.version.outputs.version }}.tgz.bundle \
+            --key="env://COSIGN_PRIVATE_KEY" \
+            --yes \
+            .cr-release-packages/azure-pipelines-agent-${{ steps.version.outputs.version }}.tgz
+
       - name: Cache Helm chart
         uses: actions/upload-artifact@v3.1.2
         with:
diff --git a/SECURITY.md b/SECURITY.md
index 9601286e..3bb2f860 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -28,10 +28,10 @@ Both the containers and the Helm chart are signed:
 
 ### Containers
 
-Containers are signed with Cosign, public key is available in [`cosign.pub`](cosign.pub) at the root of the repository.
+Containers are signed with Cosign. Public key is available in [`cosign.pub`](cosign.pub) at the root of the repository.
 
 ```bash
-# Example of verification
+# Example of verification with Cosign
 ❯ cosign verify --key cosign.pub ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main
 Verification for ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main --
 The following checks were performed on each of these signatures:
@@ -42,16 +42,25 @@ The following checks were performed on each of these signatures:
 
 ### Helm chart
 
-Helm chart is signed with a GPG key, public key is [available on Keybase](https://keybase.io/clemlesne/pgp_keys.asc) and in [`pubring.gpg`](pubring.gpg) at the root of the repository.
+Helm chart is signed with two methods, GPG and Cosign. Both methods can be used to confirm authenticity of a build. Public key is [available on Keybase](https://keybase.io/clemlesne/pgp_keys.asc) and in [`pubring.gpg`](pubring.gpg) at the root of the repository.
 
 ```bash
-# Example of verification
+# Example of verification with Helm native signature
 ❯ helm fetch --keyring pubring.gpg --verify clemlesne-azure-pipelines-agent/azure-pipelines-agent --version 5.0.0
 Signed by: Clémence Lesné <clemence@lesne.pro>
 Using Key With Fingerprint: 417E701DBC66834CA752C920460D072B9C032DFD
 Chart Hash Verified: sha256:1c23e22cffc132ce12489480d139b59e97b3cb49ff1599a4ae11fb5c317c1e64
 ```
 
+```bash
+# Example of verification with Cosign
+❯ VERSION=5.0.0
+❯ wget https://github.com/clemlesne/azure-pipelines-agent/releases/download/azure-pipelines-agent-${VERSION}/azure-pipelines-agent-${VERSION}.tgz.bundle
+❯ helm pull clemlesne-azure-pipelines-agent/azure-pipelines-agent --version 5.0.0
+❯ cosign verify-blob azure-pipelines-agent-${VERSION}.tgz --bundle azure-pipelines-agent-${VERSION}.tgz.bundle --key cosign.pub
+Verified OK
+```
+
 ## Reliability notes
 
 Systems are built every days. Each image is accompanied by a SBOM (Software Bill of Materials) which allows to verify that the installed packages are those expected. This speed has the advantage of minimizing exposure to security flaws, which will then be corrected on the build environments in 24 hours.

From b823c5c77da83d23857c6f6f75b4c5099ec7a847 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= <clemence@lesne.pro>
Date: Fri, 1 Sep 2023 19:00:14 +0200
Subject: [PATCH 12/13] Doc: Enhance build authenticity

---
 SECURITY.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 3bb2f860..a5e68a65 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -28,7 +28,9 @@ Both the containers and the Helm chart are signed:
 
 ### Containers
 
-Containers are signed with Cosign. Public key is available in [`cosign.pub`](cosign.pub) at the root of the repository.
+Containers are signed with Cosign.
+
+Cosign public key is available in [`/cosign.pub`](cosign.pub).
 
 ```bash
 # Example of verification with Cosign
@@ -42,7 +44,12 @@ The following checks were performed on each of these signatures:
 
 ### Helm chart
 
-Helm chart is signed with two methods, GPG and Cosign. Both methods can be used to confirm authenticity of a build. Public key is [available on Keybase](https://keybase.io/clemlesne/pgp_keys.asc) and in [`pubring.gpg`](pubring.gpg) at the root of the repository.
+Helm chart is signed with two methods, Cosign and GPG. Both methods can be used to confirm authenticity of a build.
+
+Keys:
+
+- Cosign public key is available in [`/cosign.pub`](cosign.pub).
+- GPG public key is [available on Keybase](https://keybase.io/clemlesne/pgp_keys.asc) and in [`/pubring.gpg`](pubring.gpg).
 
 ```bash
 # Example of verification with Helm native signature

From 13a882860710662fb3993c8d99bb2b44cdc31810 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= <clemence@lesne.pro>
Date: Sat, 2 Sep 2023 12:58:44 +0200
Subject: [PATCH 13/13] Doc: Add external doc links

---
 README.md   | 35 ++++++++++++++++++-----------------
 SECURITY.md |  6 +++---
 2 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index dfe69d10..00915c98 100644
--- a/README.md
+++ b/README.md
@@ -19,14 +19,15 @@
 
 Features:
 
-- Agent register and restart itself.
-- Allow to build containers inside the agent using [BuildKit](https://github.com/moby/buildkit).
-- Can run air-gapped (no internet access).
-- Cheap to run (dynamic provisioning of agents, can scale from 0 to 100+ in few seconds with [KEDA](https://keda.sh)).
-- Performances can be customized depending of the engineering needs, which goes far beyond the Microsoft-hosted agent.
-- Pre-built with Windows Server, Debian, Ubuntu, Red Hat Enterprise Linux.
-- SBOM (Software Bill of Materials) is packaged with each container image.
-- System updates are applied every days.
+- 🔄 Agent register and restart itself.
+- 🏗️ Allow to build containers inside the agent using [BuildKit](https://github.com/moby/buildkit).
+- 🔒 Build authenticity can be cryptographically verified with [Cosign](https://github.com/sigstore/cosign) and GPG.
+- 📵 Can run air-gapped (no internet access).
+- 💰 Cheap to run (dynamic provisioning of agents, can scale from 0 to 100+ in few seconds with [KEDA](https://keda.sh)).
+- 💪 Performances can be customized depending of the engineering needs, which goes far beyond the Microsoft-hosted agent.
+- 🖥️ Pre-built with [Windows Server](https://www.microsoft.com/en-us/windows-server), [Debian](https://debian.org), [Ubuntu](https://ubuntu.com), [Red Hat Enterprise Linux](https://access.redhat.com/products/red-hat-enterprise-linux).
+- 📦 [SBOM (Software Bill of Materials)](https://en.wikipedia.org/wiki/Software_supply_chain) is packaged with each container image.
+- 🔄 System updates are applied every day.
 
 ## Usage
 
@@ -59,15 +60,15 @@ helm upgrade --install agent clemlesne-azure-pipelines-agent/azure-pipelines-age
 
 > Container images are both published to GitHub Container Registry and Docker Hub. URLs showed in the doc are GitHub Container Registry URLs, for simplicity. To use Docker Hub, replace `ghcr.io/clemlesne/azure-pipelines-agent` by `docker.io/clemlesne/azure-pipelines-agent`.
 
-| `Ref`                                                       | OS                           | `Size`                                                                                                                        | `Arch`              | Support                                                                                                                                           |
-| ----------------------------------------------------------- | ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `ghcr.io/clemlesne/azure-pipelines-agent:bookworm-main`     | Debian Bookworm (12) slim    | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/bookworm-main?label=)     | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS)                                                                                               |
-| `ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main`     | Debian Bullseye (11) slim    | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/bullseye-main?label=)     | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS)                                                                                               |
-| `ghcr.io/clemlesne/azure-pipelines-agent:focal-main`        | Ubuntu Focal (20.04) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/focal-main?label=)        | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases)                                                                                          |
-| `ghcr.io/clemlesne/azure-pipelines-agent:jammy-main`        | Ubuntu Jammy (22.04) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/jammy-main?label=)        | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases)                                                                                          |
-| `ghcr.io/clemlesne/azure-pipelines-agent:ubi8-main`         | Red Hat UBI 8 (8.8) minimal  | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/ubi8-main?label=)         | `amd64`, `arm64/v8` | [See Red Hat product life cycles.](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux)                         |
-| `ghcr.io/clemlesne/azure-pipelines-agent:win-ltsc2019-main` | Windows Server 2019 Core     | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/win-ltsc2019-main?label=) | `amd64`             | [See base image servicing lifecycles.](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle) |
-| `ghcr.io/clemlesne/azure-pipelines-agent:win-ltsc2022-main` | Windows Server 2022 Core     | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/win-ltsc2022-main?label=) | `amd64`             | [See base image servicing lifecycles.](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle) |
+| `Ref`                                                       | OS                                                                            | `Size`                                                                                                                        | `Arch`              | Support                                                                                                                                           |
+| ----------------------------------------------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `ghcr.io/clemlesne/azure-pipelines-agent:bookworm-main`     | [Debian Bookworm (12)](https://www.debian.org/releases/bookworm) slim         | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/bookworm-main?label=)     | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS)                                                                                               |
+| `ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main`     | [Debian Bullseye (11)](https://www.debian.org/releases/bullseye) slim         | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/bullseye-main?label=)     | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS)                                                                                               |
+| `ghcr.io/clemlesne/azure-pipelines-agent:focal-main`        | [Ubuntu Focal (20.04)](https://www.releases.ubuntu.com/focal) minimal         | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/focal-main?label=)        | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases)                                                                                          |
+| `ghcr.io/clemlesne/azure-pipelines-agent:jammy-main`        | [Ubuntu Jammy (22.04)](https://www.releases.ubuntu.com/jammy) minimal         | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/jammy-main?label=)        | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases)                                                                                          |
+| `ghcr.io/clemlesne/azure-pipelines-agent:ubi8-main`         | [Red Hat UBI 8 (8.8)](https://developers.redhat.com/articles/ubi-faq) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/ubi8-main?label=)         | `amd64`, `arm64/v8` | [See Red Hat product life cycles.](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux)                         |
+| `ghcr.io/clemlesne/azure-pipelines-agent:win-ltsc2019-main` | [Windows Server 2019](https://learn.microsoft.com/en-us/windows-server) Core  | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/win-ltsc2019-main?label=) | `amd64`             | [See base image servicing lifecycles.](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle) |
+| `ghcr.io/clemlesne/azure-pipelines-agent:win-ltsc2022-main` | [Windows Server 2022](https://learn.microsoft.com/en-us/windows-server) Core  | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/azure-pipelines-agent/win-ltsc2022-main?label=) | `amd64`             | [See base image servicing lifecycles.](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle) |
 
 ## Advanced topics
 
diff --git a/SECURITY.md b/SECURITY.md
index a5e68a65..68ae3499 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -28,7 +28,7 @@ Both the containers and the Helm chart are signed:
 
 ### Containers
 
-Containers are signed with Cosign.
+Containers are signed with [Cosign](https://github.com/sigstore/cosign).
 
 Cosign public key is available in [`/cosign.pub`](cosign.pub).
 
@@ -44,7 +44,7 @@ The following checks were performed on each of these signatures:
 
 ### Helm chart
 
-Helm chart is signed with two methods, Cosign and GPG. Both methods can be used to confirm authenticity of a build.
+Helm chart is signed with two methods, [Cosign](https://github.com/sigstore/cosign) and [GPG](https://helm.sh/docs/topics/provenance). Both methods can be used to confirm authenticity of a build.
 
 Keys:
 
@@ -70,7 +70,7 @@ Verified OK
 
 ## Reliability notes
 
-Systems are built every days. Each image is accompanied by a SBOM (Software Bill of Materials) which allows to verify that the installed packages are those expected. This speed has the advantage of minimizing exposure to security flaws, which will then be corrected on the build environments in 24 hours.
+Systems are built every days. Each image is accompanied by a [SBOM (Software Bill of Materials)](https://en.wikipedia.org/wiki/Software_supply_chain) which allows to verify that the installed packages are those expected. This speed has the advantage of minimizing exposure to security flaws, which will then be corrected on the build environments in 24 hours.
 
 Nevertheless it can happen that a package provider (e.g. Debian, Canonical, Red Hat) deploys a system update that introduces a bug. This is difficult to predict.