feat: generate SBOM during KubeArmor release #1735
Conversation
There was a problem hiding this comment.
Hey @sandipanpanda,
Thanks for the PR 🙌🏽 Looks in the right direction.
Can we handle this for all the kubearmor images? (operator,snitch and controller)
Ref
.github/workflows/sbom.yaml
Outdated
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| gh release upload ${{github.ref_name}} kubearmor_${{github.ref_name}}_sbom.spdx.json |
There was a problem hiding this comment.
KubeArmor uses goreleaser for it's github package rleases.
I think this would be better integrated with go releaser for future releases.
Ref https://goreleaser.com/customization/sbom/
What do you think?
There was a problem hiding this comment.
Goreleaser only showcases Syft as an example.
The bom project itself uses goreleaser with bom
Reference https://github.com/kubernetes-sigs/bom/blob/main/.goreleaser.yml#L61
| - name: Generate SBOM | ||
| shell: bash | ||
| run: | | ||
| bom generate --format json -ao sbom_kubearmor_${{ steps.digest.outputs.imagedigest }}.spdx.json \ |
There was a problem hiding this comment.
Let's use full flags for more clarity with bom and with cosign as well.
I'm running into following as of now:
$ ./bom version
______ _____ ___ ___
| ___ \| _ || \/ |
| |_/ /| | | || . . |
| ___ \| | | || |\/| |
| |_/ /\ \_/ /| | | |
\____/ \___/ \_| |_/
bom: A tool for working with SPDX manifests
GitVersion: v0.6.0
GitCommit: 9be3ab7
GitTreeState: clean
BuildDate: 2024-01-15T06:35:50Z
GoVersion: go1.21.6
Compiler: gc
Platform: linux/amd64
$ ./bom generate --format=json --image=kubearmor/kubearmor:stable
INFO bom v0.6.0: Generating SPDX Bill of Materials
INFO Processing image reference: kubearmor/kubearmor:stable
INFO Reference kubearmor/kubearmor:stable points to an index
INFO Reference image index points to 4 manifests
INFO Adding image index.docker.io/kubearmor/kubearmor@sha256:7fe5309c7765c5959458ed4a6c738dd25070fbfa53c9ebc5762520708bf96822 (amd64/linux)
INFO Adding image index.docker.io/kubearmor/kubearmor@sha256:8d24e0131566c85f3203ce4bb754583601e00248e840d97ca14b2dd36bdc441b (arm64/linux)
INFO Adding image index.docker.io/kubearmor/kubearmor@sha256:22e34a51116f0c9ff5b4142013a6a75b558ab8c7722d4dc1b6ef013706c593da (unknown/unknown)
INFO Adding image index.docker.io/kubearmor/kubearmor@sha256:1a61aff7987670a5b929700d5e1f9c0f2aec5a71db0060255c612be5732d0a45 (unknown/unknown)
INFO Generating SBOM for multiarch image index.docker.io/kubearmor/kubearmor@sha256:eecaf9d979b2ef70acb374e607b945d11d998a79bbd3c0e65f7ee75164396433
INFO Package describes image index.docker.io/kubearmor/kubearmor:1a61aff7987670a5b929700d5e1f9c0f2aec5a71db0060255c612be5732d0a45
INFO Image manifest lists 1 layers
FATA generating doc: scanning images: generating SPDX package from image ref kubearmor/kubearmor:stable: generating image package: adding image variant package: getting os data from container: checking if file exists in layer: reading tarfile: archive/tar: invalid tar headerI tested bom with another image on ghcr.io and that is working. I'll look more into this tomorrow.
The attestation parts looks good to me.
Thank you very much for the PR.
There was a problem hiding this comment.
cc @puerco, this seems to have been related to kubernetes-sigs/bom#36 which was fixed.
There was a problem hiding this comment.
@sandipanpanda were you able to generate SBOMs using bom locally on your system?
There was a problem hiding this comment.
No, I am facing the same error as yourself.
FATA generating doc: scanning images: generating SPDX package from image ref kubearmor/kubearmor:stable: generating image package: adding image variant package: getting os data from container: checking if file exists in layer: reading tarfile: archive/tar: invalid tar header
This seems to be a bug in the K8s bom, and we cannot move forward with this until it is resolved.
Hi @daemon1024, thanks for pointing that out. Yes, this is doable. |
Generate Software Bill of Materials (SBOM) using Kubernetes bom (https://github.com/kubernetes-sigs/bom) during KubeArmor release. Automate SBOM generation. This checks the SBOM check of KubeArmor under Security tab on CLOMonitor and increase the CLOMonitor score of KubeArmor. Ref: https://clomonitor.io/projects/cncf/kubearmor#kubearmor_security Signed-off-by: Sandipan Panda <samparksandipan@gmail.com>
sandipanpanda
force-pushed
the
generate-sbom
branch
from
ef72788
to
17a01f2
Compare
Purpose of PR?:
Generate Software Bill of Materials (SBOM) using Kubernetes bom during KubeArmor release. Automate SBOM generation.
This checks the SBOM check of KubeArmor under Security tab on CLOMonitor and increase the CLOMonitor score of KubeArmor.
Ref KubeArmor Security
Next step: We can scan the generated SBOM for vulnerabilities using Trivy.
Does this PR introduce a breaking change?
No
If the changes in this PR are manually verified, list down the scenarios covered::
Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs
Checklist:
<type>(<scope>): <subject>