Skip to content

Use SHA256 digest versioning for docker/chainguard SBOMs#13

Merged
vpetersson merged 2 commits into
masterfrom
digest-based-versioning
Mar 6, 2026
Merged

Use SHA256 digest versioning for docker/chainguard SBOMs#13
vpetersson merged 2 commits into
masterfrom
digest-based-versioning

Conversation

@vpetersson
Copy link
Copy Markdown
Contributor

@vpetersson vpetersson commented Mar 6, 2026

Summary

  • Docker/chainguard sources now use the image SHA256 digest as COMPONENT_VERSION instead of the mutable tag, fixing false dedup and enabling content traceability
  • New sbomify API dedup: before upload, checks if the release already has an artifact with the same digest; after upload, cleans up stale artifacts for the same component
  • github_release/lockfile sources unchanged — still use semver with TEA dedup

Changes

File Description
scripts/sources/docker-attestation.sh Write image_digest to image-digest.txt
scripts/sources/chainguard.sh Resolve digest via crane digest, write to image-digest.txt
scripts/lib/sbomify-api.sh New — sbomify_digest_exists and sbomify_cleanup_old_artifacts
.github/workflows/sbom-builder.yml Digest read step, sbomify dedup check, unified upload decision, digest-based version, artifact cleanup

Test plan

  • Dry-run PR CI validates all apps pass (no API calls in dry-run)
  • Manual dispatch for one docker app (e.g. alpine): verify digest read, dedup check, upload with digest version, old artifact cleanup
  • Re-run same app: verify dedup detects existing digest and skips upload
  • Run a github_release/lockfile app: verify TEA dedup path still works unchanged

🤖 Generated with Claude Code

vpetersson and others added 2 commits March 6, 2026 20:34
@vpetersson @claude
Use SHA256 digest as SBOM version for docker/chainguard sources
460ba38 
Docker image tags are mutable — the same tag (e.g. alpine:3.23.3) gets
rebuilt with different content. Using the tag as COMPONENT_VERSION caused
false dedup (old tag found → new SBOM never uploaded) and no traceability
to actual image content.

Now docker and chainguard sources persist the image digest to
image-digest.txt and use it as the SBOM version. Dedup checks the
sbomify API for existing artifacts with that digest, and after upload,
stale artifacts for the same component are cleaned up.

github_release and lockfile sources are unchanged (semver, TEA dedup).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson @claude
Add standalone products for Dependency Track and bundle_product_id su…
e7c544e 
…pport

Dependency Track API Server and Frontend now have their own standalone
products in sbomify, with the shared "Dependency Track" bundle referenced
via bundle_product_id. The workflow builds PRODUCT_RELEASE with both IDs
so SBOMs are tagged to both the standalone and bundle releases.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson vpetersson merged commit 5526caf into master Mar 6, 2026
119 of 120 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vpetersson