Merge branch 'fix/sbom-attest-digest' into 'master' (48ef9f6c) · Commits · to be continuous... / Docker

templates/gitlab-ci-docker.yml

+8 −5

Original line number	Diff line number	Diff line
		@@ -1329,22 +1329,25 @@ docker-sbom:
		/syft version
		- mkdir -p -m 777 reports
		- basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" \| sed 's\|[/:]\|_\|g')
		- /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json
		- chmod a+r reports/docker-sbom-${basename}.cyclonedx.json
		- /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json -o json=reports/docker-sbom-${basename}.native.json
		- chmod a+r reports/docker-sbom-${basename}.cyclonedx.json reports/docker-sbom-${basename}.native.json
		- \|
		if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] \|\| [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]]
		then
		log_info "Attaching attested SBOM to ${DOCKER_SNAPSHOT_IMAGE}..."
		echo "{{.source.name}}@sha256:{{.source.id}}" > .img-digest.tmpl
		/syft convert ${TRACE+-vv} reports/docker-sbom-${basename}.native.json -t .img-digest.tmpl -o template=.img-digest.txt
		docker_image_digest=$(cat .img-digest.txt)
		log_info "Attaching attested SBOM to ${docker_image_digest}..."
		install_cosign
		configure_cosign_private_key
		$docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_ATTEST_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${DOCKER_SNAPSHOT_IMAGE}
		$docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_ATTEST_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${docker_image_digest}
		fi
		artifacts:
		name: "SBOM for docker from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
		expire_in: 1 week
		when: always
		paths:
		- "reports/docker-sbom-*.cyclonedx.json"
		- "reports/docker-sbom-*"
		reports:
		cyclonedx:
		- "reports/docker-sbom-*.cyclonedx.json"