-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SBOM using Syft #134
Conversation
This is just a placeholder that should be replaced later with actual sbom content of this project Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
This commit makes it ready for a pull request, it will only trigger on a release build for now. It should also be noted that this workflow currently still uses a temporary SBOM SPDX, a new pull request should be created to generate the SBOM Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Codecov Report
@@ Coverage Diff @@
## main #134 +/- ##
=======================================
Coverage 77.54% 77.54%
=======================================
Files 15 15
Lines 610 610
=======================================
Hits 473 473
Misses 97 97
Partials 40 40
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Yaml formatting and cosign{-installer} version
Signed-off-by: Brend Smits <brend.smits@philips.com>
…ovenance-Action into feature/create-sbom
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, still would like to check using crane and local commandline from a created draft release using the current state of the PR all this sboms and things are accordingly released to ensure also the goreleaser configs are accurate.
… it getting stuck Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
e5a1afd
to
7bc5302
Compare
Signed-off-by: Brend Smits <brend.smits@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com>
287b3eb
to
30cbe62
Compare
https://github.com/philips-labs/slsa-provenance-action/runs/5235719140?check_suite_focus=true |
The SBOM is created using tooling from Anchore, called Syft. Syft was chosen because of the ease of use and the good integration with our tech stack.
I think this could have been a separate step in the workflow, but in the end, I chose not to go this route. The reason being is that it will be a lot of repeating the same code and will raise a new problem that we have to upload a temporary artifact or pass along a different output (which may have issues being passed around since the SBOM's can be relatively large in size).
This PR also removes the filter sbom spdx.