ci: generate SBOMs for release artifacts using goreleaser

Enhance transparency and security by providing a Software Bill of Materials (SBOM) for release artifacts, enabling easier tracking and auditing of dependencies. Signed-off-by: Michael Adler <[email protected]>
siemens · Dec 17, 2024 · 50430ed · 50430ed
1 parent 31c247f
commit 50430ed
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 0 deletions.
diff --git a/.ci/packages/syft.sh b/.ci/packages/syft.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2024 Siemens AG
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Author: Michael Adler <[email protected]>
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+. "$SCRIPT_DIR/versions.env"
+
+echo "Installing syft $SYFT_VERSION"
+curl -L -o /tmp/syft.deb "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.deb"
+dpkg -i /tmp/syft.deb
+rm -f /tmp/syft.deb
diff --git a/.ci/packages/versions.env b/.ci/packages/versions.env
@@ -10,3 +10,4 @@ export STATICCHECK_VERSION=2024.1.1 # github-releases/dominikh/go-tools&versioni
 export SWAGGER_VERSION=0.31.0 # github-releases/go-swagger/go-swagger&versioning=semver
 export ZIG_VERSION=0.13.0 # github-releases/ziglang/zig&versioning=semver
 export MARKDOWN_LINK_CHECK_VERSION=3.12.2 # github-releases/tcort/markdown-link-check&versioning=semver
+export SYFT_VERSION=1.17.0 # github-releases/anchore/syft&versioning=semver
diff --git a/.ci/setup-build.sh b/.ci/setup-build.sh
@@ -9,3 +9,4 @@ apt-get install -q -y --no-install-recommends xz-utils zstd
 "$SCRIPT_DIR/packages/just.sh"
 "$SCRIPT_DIR/packages/zig.sh"
 "$SCRIPT_DIR/packages/goreleaser.sh"
+"$SCRIPT_DIR/packages/syft.sh"
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -266,3 +266,17 @@ changelog:
     exclude:
       - "^docs:"
       - "^test:"
+
+sboms:
+  - id: spdx
+    artifacts: binary
+    cmd: syft
+    args: ["$artifact", "--output", "spdx-json=$document"]
+    documents:
+      - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.spdx.sbom.json"
+  - id: cyclonedx
+    artifacts: binary
+    cmd: syft
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+    documents:
+      - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.cyclonedx.sbom.json"
diff --git a/shell.nix b/shell.nix
@@ -29,6 +29,7 @@ mkShell {
 
     gnumake
     goreleaser
+    syft
     zig_0_13
     just
     git
-Original file line number
+Diff line change
@@ Expand Up / @@ -29,6 +29,7 @@ mkShell { @@
         gnumake
         goreleaser
+        syft
         zig_0_13
         just
         git
@@ Expand Down @@