adiing sbom to the pipeline

bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2

@@ -33,7 +33,7 @@ spec:
         volumeMounts:
         - mountPath: /fileuploads
           name: staticfiles
-      - image: quay.io/siamaksade/nginx:latest
+      - image: quay.io/allenfouladi/nginx:latest
         name: nginx
         ports:
         - containerPort: 8080

bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml

@@ -114,7 +114,7 @@
   shell: |
     oc get BackingStore/"{{ backing_store_name }}" -n openshift-storage -o jsonpath='{.status.phase}'
   register: backing_store
-  retries: 10
+  retries: 20
   delay: 20
   until:
     - backing_store.stdout == "Ready"

bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml

@@ -14,6 +14,7 @@
   - ./templates/task-rox-image-check.yaml.j2
   - ./templates/task-s2i-java-11.yaml.j2
   - ./templates/task-zap-proxy.yaml.j2
+  - ./templates/task-syft-sbom.yaml.j2
 
 - name: Create OpenShift Objects for Openshift Pipeline Triggers
   k8s:

bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2

@@ -0,0 +1,64 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: syft-sbom
+  namespace: cicd
+spec:
+  description: This Task can be used to generate a SBOM file with Syft.
+  params:
+    - default: $(workspaces.source.path)
+      description: Application folder to scan
+      name: APP_PATH
+      type: string
+    - default: reports
+      description: The reports repository username
+      name: REPORTS_REPO_USERNAME
+      type: string
+    - default: reports
+      description: The reports repository password
+      name: REPORTS_REPO_PASSWORD
+      type: string
+    - default: 'http://reports-repo:8080'
+      description: >-
+        The reports repository host based on
+        https://github.com/chmouel/openshift-django-uploader
+      name: REPORTS_REPO_HOST
+      type: string
+  steps:
+    - env:
+        - name: PIPELINERUN_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: 'metadata.labels[''tekton.dev/pipelineRun'']'
+      image: 'registry.access.redhat.com/ubi8/ubi:latest'
+      name: syft-scan
+      resources: {}
+      script: >
+        #!/usr/bin/env bash
+
+        echo '## Getting Syft ##'
+
+        pwd
+
+        curl -sSfL
+        https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s
+        -- -b .
+
+        chmod +x ./syft
+
+        echo '## Scanning folder and generating SBOM ##'
+
+        ./syft $(params.APP_PATH) -o spdx-json=sbom.json
+
+        echo '## SBOM content ##'
+
+        cat ./sbom.json
+
+        echo "Uploading the report into the report server"
+
+        curl -u $(params.REPORTS_REPO_USERNAME):$(params.REPORTS_REPO_PASSWORD)
+        -F path=$PIPELINERUN_NAME/$'PIPELINERUN_NAME'-sbom.json -F [email protected] -X
+        POST $(params.REPORTS_REPO_HOST)/upload; echo ""
+  workspaces:
+    - description: The workspace consisting of maven project.
+      name: source

bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json

@@ -31,7 +31,7 @@
                             "negate": false,
                             "values": [
                                 {
-                                    "value": "io.stackrox.signatureintegration.6388cd9f-e65a-4562-9364-5ee5ad6a199a"
+                                    "value": "io.stackrox.signatureintegration.9e37b973-37bd-4d0a-b329-7fc01019c8ed"
                                 }
                             ]
                         }

bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2

@@ -4,6 +4,17 @@ metadata:
   name: petclinic-build-dev
   namespace: cicd
 spec:
+  finally:
+    - name: syft-sbom
+      params:
+        - name: APP_PATH
+          value: $(workspaces.source.path)
+      taskRef:
+        kind: Task
+        name: syft-sbom
+      workspaces:
+        - name: source
+          workspace: workspace
   params:
     - name: APP_SOURCE_GIT
       type: string
@@ -276,4 +287,4 @@ spec:
     workspaces:
     - name: simulations
       workspace: workspace
-      subPath: spring-petclinic-gatling
+      subPath: spring-petclinic-gatling

install.sh

@@ -18,3 +18,4 @@ err() {
 
 info "Installing Demo"
 ansible-playbook bootstrap/deploy_demo.yaml -v
+ansible-playbook bootstrap/deploy_signing.yaml -v