fix(sbom): report native json and convert for digest (a46225ba) · Commits · to be continuous... / Docker

templates/gitlab-ci-docker.yml

+5 −4

Original line number	Diff line number	Diff line
		@@ -1328,13 +1328,14 @@ docker-sbom:
		log_info "Syft version:"
		/syft version
		- mkdir -p -m 777 reports
		- echo "{{.source.name}}@sha256:{{.source.id}}" > .img-digest.tmpl
		- basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" \| sed 's\|[/:]\|_\|g')
		- /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json -t .img-digest.tmpl -o template=.img-digest.txt
		- chmod a+r reports/docker-sbom-${basename}.cyclonedx.json
		- /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json -o json=reports/docker-sbom-${basename}.native.json
		- chmod a+r reports/docker-sbom-${basename}.cyclonedx.json reports/docker-sbom-${basename}.native.json
		- \|
		if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] \|\| [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]]
		then
		echo "{{.source.name}}@sha256:{{.source.id}}" > .img-digest.tmpl
		/syft convert ${TRACE+-vv} reports/docker-sbom-${basename}.native.json -t .img-digest.tmpl -o template=.img-digest.txt
		docker_image_digest=$(cat .img-digest.txt)
		log_info "Attaching attested SBOM to ${docker_image_digest}..."
		install_cosign
		@@ -1346,7 +1347,7 @@ docker-sbom:
		expire_in: 1 week
		when: always
		paths:
		- "reports/docker-sbom-*.cyclonedx.json"
		- "reports/docker-sbom-*"
		reports:
		cyclonedx:
		- "reports/docker-sbom-*.cyclonedx.json"