[DPE-2137] Add SBOM generation #31
Conversation
|
An example of the expected end result can be seen here. There's a |
.github/workflows/sbom.yaml
Outdated
| uses: actions/checkout@v3 | ||
| - name: Install Syft | ||
| run: | | ||
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin |
There was a problem hiding this comment.
@dragomirp after some internal discussions, please replace here "main" with "v0.85.0", it should be safe enough to merge it AS IS, until we have a final SBOM Canonical vision. Tnx!
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/v0.85.0/install.sh | sh -s -- -b /usr/local/bin |
There was a problem hiding this comment.
@taurus-forever That doesn't address security concerns—the tag can be moved. Suggest pinning to a commit hash instead
There was a problem hiding this comment.
@carlcsaposs-canonical I intend to move this to check the image from the registry, so it wouldn't matter if the artefact is potentially changed, but I can't promise it would be this pulse.
There was a problem hiding this comment.
My point is that main and v0.85.0 are essentially the same from a security perspective—in the short term, I think we should either stay with main or move to a commit hash
There was a problem hiding this comment.
Yes. Running syft at the end against the registry instead of the artefact would address this, since at that point the artefact is already published.
There was a problem hiding this comment.
but I can't promise it would be this pulse
For the commit hash, I'm only referring to short-term (i.e. this PR)
Co-authored-by: Alex Lutay <[email protected]>
Issue
Need to generate SBOM manifest for future security auditing
Solution
Add a workflow to generate the manifest