ci: generate sboms for provided packages in a release (#247)

* ci: generate sboms for provided packeges in a release * ci: goreleaser cfg version set to v2 * ci: install syft bin & add source sbom gen * ci: finally add syft install to all ci actions where it is needed * ci: typo * docs: use syft to generate a sbom manually * fix: syft example cmd path & better syft licenses template * docs: new org
telekom · Jan 21, 2025 · 7b8f036 · 7b8f036
1 parent 86ed6cd
commit 7b8f036
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,6 +20,9 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+
+      - name: Install syft for sbom generation
+        uses: anchore/sbom-action/download-syft@v0.17.9
 
       - name: Build snapshot artifacts
         uses: goreleaser/goreleaser-action@v6

diff --git a/.github/workflows/e2e_checks.yml b/.github/workflows/e2e_checks.yml
@@ -44,6 +44,9 @@ jobs:
           "network_plugin": "kathara/katharanp_vde"
           }' > ~/.config/kathara.conf
 
+      - name: Install syft for sbom generation
+        uses: anchore/sbom-action/download-syft@v0.17.9
+
       - name: Build binary for e2e
         uses: goreleaser/goreleaser-action@v6
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -37,6 +37,9 @@ jobs:
           registry: mtr.devops.telekom.de
           username: ${{ secrets.MTR_USERNAME }}
           password: ${{ secrets.MTR_PASSWORD }}
+
+      - name: Install syft for sbom generation
+        uses: anchore/sbom-action/download-syft@v0.17.9
 
       - name: Build, push & release
         uses: goreleaser/goreleaser-action@v6

diff --git a/.goreleaser-ci.yaml b/.goreleaser-ci.yaml
@@ -1,3 +1,4 @@
+version: 2
 project_name: sparrow
 snapshot:
   name_template: "commit-{{ .ShortCommit }}"
@@ -25,3 +26,5 @@ dockers:
       - --label=org.opencontainers.image.created={{ .Timestamp }}
       - --label=org.opencontainers.image.revision={{ .FullCommit }}
       - --label=org.opencontainers.image.licenses="Apache 2.0"
+sboms:
+  - artifacts: archive
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -1,3 +1,4 @@
+version: 2
 project_name: sparrow
 builds:
   - env: [CGO_ENABLED=0]
@@ -39,3 +40,8 @@ nfpms:
       - deb
       - rpm
       - apk
+sboms:
+  - id: archive
+    artifacts: archive
+  - id: source
+    artifacts: source
diff --git a/scripts/sbom/README.md b/scripts/sbom/README.md
@@ -0,0 +1,23 @@
+# Generate SBOM with Syft
+
+This doc can be used to generate a SBOM manually with [Syft](https://github.com/anchore/syft).
+
+## Usage
+
+Install the Syft binary.
+
+Use the following command to generate a simple SBOM file form the repository:
+
+```shell
+syft .
+```
+
+Alternative output variants can be found [here](https://github.com/anchore/syft/wiki/Output-Formats).
+
+Use the following command to generate a SBOM markdown file using the `example.sbom.tmpl` goTemplate template file:
+
+```shell
+SYFT_GOLANG_SEARCH_REMOTE_LICENSES=true syft ghcr.io/telekom/sparrow:v0.5.0 -o template -t scripts/sbom/example.sbom.tmpl
+```
+
+Setting the env variable `SYFT_GOLANG_SEARCH_REMOTE_LICENSES=true` will ensure to lookup licenses remotely. In this example the sparrow image in version `v0.5.0` is scanned.
diff --git a/scripts/sbom/example.sbom.tmpl b/scripts/sbom/example.sbom.tmpl
@@ -0,0 +1,5 @@
+| Package | Type | Version | Licenses |
+| ------- | ---- | ------- | -------- |
+{{- range .artifacts}}
+| {{.name}} | {{.type}} | {{.version}} | {{range $index, $licence := .licenses}}{{- if $index}}, {{end}}{{$licence.value}}{{end}} |
+{{- end}}