feat: add a job generating software bill of materials (ea8ca4e7) · Commits · to be continuous... / Docker

README.md

+12 −0

Original line number	Diff line number	Diff line
		@@ -397,6 +397,18 @@ In addition to a textual report in the console, this job produces the following
		\| `reports/docker-trivy-*.native.json` \| native Trivy report format (json) \| [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ \|
		\| `reports/docker-trivy-*.gitlab.json` \| [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format \| [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) \|

		### `docker-sbom` job

		This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [syft](https://github.com/anchore/syft).

		It is bound to the `package-test` stage, and uses the following variables:

		\| Name \| description \| default value \|
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\| `DOCKER_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `DOCKER_SBOM_IMAGE` \| The docker image used to emit SBOM \| `anchore/syft:debug` \|
		\| `DOCKER_SBOM_OPTS` \| Options for syft used for SBOM analysis \| `--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger` \|

		### `docker-publish` job

		This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).

+18 −0

Original line number	Diff line number	Diff line
		@@ -174,6 +174,24 @@
		"advanced": true
		}
		]
		},
		{
		"id": "sbom",
		"name": "Software Bill of Materials",
		"description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
		"disable_with": "DOCKER_SBOM_DISABLED",
		"variables": [
		{
		"name": "DOCKER_SBOM_IMAGE",
		"default": "anchore/syft:debug"
		},
		{
		"name": "DOCKER_SBOM_OPTS",
		"description": "Options for syft used for SBOM analysis",
		"default": "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger",
		"advanced": true
		}
		]
		}
		],
		"variants": [

+29 −0

Original line number	Diff line number	Diff line
		@@ -69,6 +69,10 @@ variables:
		DOCKER_TRIVY_IMAGE: "aquasec/trivy:latest"
		DOCKER_TRIVY_ARGS: "--ignore-unfixed --vuln-type os"

		# SBOM genenration image and arguments
		DOCKER_SBOM_IMAGE: anchore/syft:debug
		DOCKER_SBOM_OPTS: "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger"

		# by default: DevOps pipeline
		PUBLISH_ON_PROD: "true"

		@@ -677,6 +681,31 @@ docker-trivy:
		when: never
		- !reference [.test-policy, rules]

		docker-sbom:
		extends: .docker-base
		stage: package-test
		image:
		name: $DOCKER_SBOM_IMAGE
		entrypoint: [""]
		# force no dependency
		dependencies: []
		script:
		- mkdir -p -m 777 reports
		- dockerfile_hash=$(md5sum "$DOCKER_FILE" \| cut -d" " -f1)
		- /syft packages $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${dockerfile_hash}.cyclonedx.json
		- chmod a+r reports/docker-sbom-${dockerfile_hash}.cyclonedx.json
		artifacts:
		name: "SBOM for docker from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
		expire_in: 1 week
		when: always
		paths:
		- "reports/docker-sbom-*.cyclonedx.json"
		rules:
		# exclude if disabled
		- if: '$DOCKER_SBOM_DISABLED == "true"'
		when: never
		- !reference [.test-policy, rules]

		# ==================================================
		# Stage: publish
		# ==================================================