SBOMs for Helmfile, docker-compose and Helm charts#5122
Merged
Conversation
zebot
added
the
ok-to-test
supersven
commented
Mar 16, 2026
supersven
commented
Mar 16, 2026
supersven
commented
Mar 16, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds tooling to generate CycloneDX SBOMs for deployment artifacts (Helm charts, Helmfile, docker-compose) and upload them to Dependency-Track, wiring required CLI tools into the Nix dev environment and exposing make targets to run the workflow.
Changes:
- Add SBOM generation scripts for Helm charts, Helmfile, and docker-compose, plus shared helpers and a centralized
syftrunner. - Add Dependency-Track upload/check scripts and new Makefile targets to generate/validate/upload SBOMs.
- Extend flake/Nix dev shell inputs to include
syftandcyclonedx-cli(via unstable nixpkgs forsyft).
Reviewed changes
Copilot reviewed 5 out of 14 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
nix/wire-server.nix |
Adds syft and cyclonedx-cli to the dev environment. |
nix/default.nix |
Threads pkgs_unstable through to wire-server.nix. |
flake.nix |
Introduces nixpkgs-unstable and passes pkgs_unstable into ./nix. |
flake.lock |
Locks the added nixpkgs-unstable input. |
hack/bin/upload-sbom.sh |
New script to upload SBOMs to Dependency-Track and manage project hierarchy/metadata. |
hack/bin/check-sbom-status.sh |
New helper to query Dependency-Track processing status by token. |
hack/bin/sbom-common.sh |
Shared helpers for SBOM generation (image canonicalization, schema1 handling, validation). |
hack/bin/run-syft.sh |
Centralizes syft invocation/config for consistent SBOM output. |
hack/bin/create-helmfile-sboms.sh |
Generates SBOMs for images referenced by rendered Helmfile output. |
hack/bin/create-helm-sboms.sh |
Generates SBOMs for images discovered via helm template across charts. |
hack/bin/create-docker-compose-sboms.sh |
Generates SBOMs for images in docker-compose config. |
Makefile |
Adds SBOM generation/validation/upload targets and a Dependency-Track project name variable. |
.gitignore |
Ignores tmp/ (used for SBOM outputs). |
changelog.d/5-internal/sboms |
Changelog entry for SBOM tooling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds end-to-end SBOM generation (CycloneDX JSON via syft) for Wire Server images across Helm charts, docker-compose ephemeral deploy, and helmfile-based integration deploys, plus tooling to validate and upload SBOMs to Dependency-Track.
Changes:
- Add new
hack/bin/*scripts to generate SBOMs for Helm charts, docker-compose images, and helmfile-rendered images, plus upload helpers. - Add Makefile targets to generate, validate (via
cyclonedx), and upload all SBOMs. - Extend Nix flake/dev environment to include
syft(from nixpkgs-unstable) andcyclonedx-cli.
Reviewed changes
Copilot reviewed 5 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
nix/wire-server.nix |
Adds pkgs_unstable.syft and cyclonedx-cli into the dev environment inputs. |
nix/default.nix |
Threads pkgs_unstable into the nix package set import chain. |
flake.nix |
Adds nixpkgs-unstable input and exposes pkgs_unstable to ./nix. |
flake.lock |
Locks the new nixpkgs-unstable dependency. |
hack/bin/sbom-common.sh |
Shared helpers for Docker availability, image canonicalization, schema1 handling, and basic JSON validation. |
hack/bin/run-syft.sh |
Centralizes syft invocation and environment settings for consistent output. |
hack/bin/create-helm-sboms.sh |
Generates SBOMs for images discovered via helm template per chart. |
hack/bin/create-docker-compose-sboms.sh |
Generates SBOMs for images from docker-compose config. |
hack/bin/create-helmfile-sboms.sh |
Generates SBOMs for images extracted from rendered helmfile templates. |
hack/bin/upload-sbom.sh |
Uploads a single SBOM to Dependency-Track and fixes parent/external reference relations. |
hack/bin/upload-all-sboms.sh |
Iterates over generated SBOMs and uploads them by source type. |
Makefile |
Adds SBOM generation/validation/upload targets (but currently contains unintended corruption in openapi-validate). |
.gitignore |
Ignores tmp/ where SBOMs are generated. |
changelog.d/5-internal/sboms |
Changelog entry for SBOM generation/upload. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
supersven
force-pushed
the
sventennie/docker-compose-sboms
branch
from
5b88b36 to
f3a3ed0
Compare
Adds `syft` for SBOM creation, `skopeo` to convert Docker images and `cylonedx-cli` to validate SBOMs. The process is driven via Makefile targets: `sboms` creates the SBOM files, `upload-sboms` uploads them to dependency track.
supersven
force-pushed
the
sventennie/docker-compose-sboms
branch
from
f3a3ed0 to
95a2a95
Compare
blackheaven
requested changes
Mar 17, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds end-to-end SBOM (CycloneDX) generation and Dependency-Track upload tooling for Wire Server deployments (Helm charts, helmfile, docker-compose), integrating required tooling into the Nix dev environment and exposing Make targets to run the workflow.
Changes:
- Introduces SBOM generation scripts for Helm charts, helmfile-based deployments, and docker-compose deployments (via
syft+skopeoschema-v1 handling). - Adds SBOM upload scripts that create/maintain Dependency-Track project hierarchy and upload SBOMs in bulk.
- Extends Nix flake/dev env to include
syft(from nixpkgs-unstable) andcyclonedx-cli, plus Makefile targets and housekeeping (tmp/sboms,.gitignore).
Reviewed changes
Copilot reviewed 6 out of 15 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
treefmt.toml |
Adjusts shellcheck invocation to follow sourced files. |
nix/wire-server.nix |
Adds syft (unstable) + cyclonedx-cli to the dev environment inputs. |
nix/default.nix |
Wires pkgs_unstable through to wire-server.nix. |
flake.nix |
Adds nixpkgs-unstable input and exposes pkgs_unstable to the Nix import chain. |
flake.lock |
Locks the new nixpkgs-unstable dependency. |
hack/bin/sbom-common.sh |
Shared helpers for canonicalizing image refs, schema-v1 conversion, and JSON sanity checks. |
hack/bin/run-syft.sh |
Centralizes syft invocation and standard env configuration. |
hack/bin/create-helm-sboms.sh |
Generates SBOMs by extracting images from rendered Helm charts. |
hack/bin/create-helmfile-sboms.sh |
Generates SBOMs by extracting images from helmfile template. |
hack/bin/create-docker-compose-sboms.sh |
Generates SBOMs from images listed by docker compose config --images. |
hack/bin/upload-sbom.sh |
Uploads a single SBOM while ensuring Dependency-Track project structure exists and is linked. |
hack/bin/upload-all-sboms.sh |
Uploads all generated SBOMs under tmp/sboms/*. |
Makefile |
Adds sboms*, upload-sboms, and validate-sboms targets and cleans tmp/sboms. |
.gitignore |
Ignores tmp/ where SBOMs are generated. |
changelog.d/5-internal/sboms |
Documents the internal SBOM feature addition. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
blackheaven
approved these changes
Mar 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds comprehensive Software Bill of Materials (SBOM) generation and upload capabilities for Wire Server. The implementation creates CycloneDX-format SBOMs for three deployment methods:
The workflow uses
syftfor SBOM generation,skopeofor Docker schema v1 compatibility, andcyclonedx-clifor validation, with Makefile targets orchestrating the process and uploading to Dependency Track.Unfortunately, the
syftversion innixos-25.11is broken. Thus, we're resorting tounstable.The results of a test-run can be seen here: https://deptrack.wire.link/projects/804b3a49-644f-4feb-a0e1-bd8e9126d35c/collectionprojects
It was created with
(In the second command,
HELM_SEMVER=0.0.63is just the version of the project in Dependency Track. I'm using bogus versions there because the namespace fills up quickly.)Ticket: https://wearezeta.atlassian.net/browse/WPB-20616
Checklist
changelog.d