Skip to content
This repository has been archived by the owner on Dec 21, 2023. It is now read-only.

feat: Publish SBOM for Keptn artifacts/images #9391

Closed
wants to merge 7 commits into from
Closed

feat: Publish SBOM for Keptn artifacts/images #9391

wants to merge 7 commits into from

Conversation

riteshsonawane1372
Copy link

This PR

Added Sboms for Keptn services and CLI using the anchore SBOM action

Related Issues

Fixes #7163

@riteshsonawane1372
Added services Sboms
ce1be2a 
Signed-off-by: RITESH R. SONAWANE <72307121+riteshsonawane1372@users.noreply.github.com>
@riteshsonawane1372
Test-Sbom
300864e 
Signed-off-by: RITESH R. SONAWANE <72307121+riteshsonawane1372@users.noreply.github.com>
@riteshsonawane1372
Changed name
92ac08e 
Signed-off-by: RITESH R. SONAWANE <72307121+riteshsonawane1372@users.noreply.github.com>
@riteshsonawane1372 riteshsonawane1372 mentioned this pull request Jan 2, 2023
Closed
3 tasks
@thschue thschue changed the title Publish SBOM for Keptn artifacts/images feat: Publish SBOM for Keptn artifacts/images Jan 4, 2023
mowies
mowies reviewed Jan 5, 2023
View reviewed changes
Copy link
Member

@mowies mowies left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good start! But there's some stuff missing still.
First of all, you could use the matrix we already have in place in the docker_build job.
Something like this:

build_sboms:
  name: Build SBOMs
  needs: [release-please, prepare]
  strategy:
    matrix: ${{ fromJson(needs.prepare.outputs.BUILD_MATRIX) }}
  steps:
  - name: SBOM ${{ matrix.config.artifact }}
    uses:  anchore/sbom-action@v0.13.1
    with:
      format: spdx
      path: ./${{ matrix.config.working-dir }}
      artifact-name: sboms

This uses the matrix with all artifacts and then it should pack them all into the same artifact.
After this, we need a another step to attach that sboms artifact to the release though.
You can essentially do something like this

@sonarcloud
Copy link

sonarcloud bot commented Jan 6, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@riteshsonawane1372 riteshsonawane1372 closed this by deleting the head repository Jan 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mowies mowies mowies left review comments

@christian-kreuzberger-dtx christian-kreuzberger-dtx Awaiting requested review from christian-kreuzberger-dtx christian-kreuzberger-dtx is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Publish SBOM for Keptn artifacts/images
2 participants
@riteshsonawane1372 @mowies