diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 740a5b56..8fb2f999 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,9 @@ jobs: uses: actions/setup-go@v5 with: go-version-file: go.mod + + - name: Install syft for sbom generation + uses: anchore/sbom-action/download-syft@v0.17.9 - name: Build snapshot artifacts uses: goreleaser/goreleaser-action@v6 diff --git a/.github/workflows/e2e_checks.yml b/.github/workflows/e2e_checks.yml index d26f3b56..41a6c602 100644 --- a/.github/workflows/e2e_checks.yml +++ b/.github/workflows/e2e_checks.yml @@ -44,6 +44,9 @@ jobs: "network_plugin": "kathara/katharanp_vde" }' > ~/.config/kathara.conf + - name: Install syft for sbom generation + uses: anchore/sbom-action/download-syft@v0.17.9 + - name: Build binary for e2e uses: goreleaser/goreleaser-action@v6 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ca399963..effece78 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,6 +37,9 @@ jobs: registry: mtr.devops.telekom.de username: ${{ secrets.MTR_USERNAME }} password: ${{ secrets.MTR_PASSWORD }} + + - name: Install syft for sbom generation + uses: anchore/sbom-action/download-syft@v0.17.9 - name: Build, push & release uses: goreleaser/goreleaser-action@v6 diff --git a/.goreleaser-ci.yaml b/.goreleaser-ci.yaml index bda07c53..844393fc 100644 --- a/.goreleaser-ci.yaml +++ b/.goreleaser-ci.yaml @@ -1,3 +1,4 @@ +version: 2 project_name: sparrow snapshot: name_template: "commit-{{ .ShortCommit }}" @@ -25,3 +26,5 @@ dockers: - --label=org.opencontainers.image.created={{ .Timestamp }} - --label=org.opencontainers.image.revision={{ .FullCommit }} - --label=org.opencontainers.image.licenses="Apache 2.0" +sboms: + - artifacts: archive diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 359b91fd..da489e03 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -1,3 +1,4 @@ +version: 2 project_name: sparrow builds: - env: [CGO_ENABLED=0] @@ -39,3 +40,8 @@ nfpms: - deb - rpm - apk +sboms: + - id: archive + artifacts: archive + - id: source + artifacts: source diff --git a/scripts/sbom/README.md b/scripts/sbom/README.md new file mode 100644 index 00000000..627b2ffa --- /dev/null +++ b/scripts/sbom/README.md @@ -0,0 +1,23 @@ +# Generate SBOM with Syft + +This doc can be used to generate a SBOM manually with [Syft](https://github.com/anchore/syft). + +## Usage + +Install the Syft binary. + +Use the following command to generate a simple SBOM file form the repository: + +```SH +syft . +``` + +Alternative output variants can be found [here](https://github.com/anchore/syft/wiki/Output-Formats). + +Use the following command to generate a SBOM markdown file using the `example.sbom.tmpl` goTemplate template file: + +```SH +SYFT_GOLANG_SEARCH_REMOTE_LICENSES=true syft ghcr.io/caas-team/sparrow:v0.5.0 -o template -t syft.sbom.tmpl +``` + +Setting the env variable `SYFT_GOLANG_SEARCH_REMOTE_LICENSES=true` will ensure to lookup licenses remotely. In this example the sparrow image in version `v0.5.0` is scanned. diff --git a/scripts/sbom/example.sbom.tmpl b/scripts/sbom/example.sbom.tmpl new file mode 100644 index 00000000..b6727b22 --- /dev/null +++ b/scripts/sbom/example.sbom.tmpl @@ -0,0 +1,5 @@ +| Package | Type | Version | Licenses | +| ------- | ---- | ------- | -------- | +{{- range .artifacts}} +| {{.name}} | {{.type}} | {{.version}} | {{range .licenses}}{{.value}}, {{end}} | +{{- end}} \ No newline at end of file