SBOM generation

Signed-off-by: Alexey Makhov <[email protected]>
makhov · Sep 27, 2023 · b34843f · b34843f
1 parent 0ff951f
commit b34843f
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 0 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -48,6 +48,26 @@ jobs:
         run: |
           make docker-build
 
+  generate-sbom:
+    name: "Build :: SBOM"
+    needs: [ build ]
+
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+
+      - name: Generate SBOM
+        run: |
+          mkdir -p sbom && chmod 777 sbom
+          make sbom/spdx.json
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: spdx.json
+          path: sbom/spdx.json
+
   unittest:
     name: Unit test
     needs: build

diff --git a/.github/workflows/sbom-upload.yml b/.github/workflows/sbom-upload.yml
@@ -0,0 +1,36 @@
+name: SBOM upload
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  sbom-upload:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Generate SBOM
+        env:
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          mkdir -p sbom && chmod 777 sbom
+          echo $COSIGN_KEY | base64 -d > cosign.key
+          make sign-sbom
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: sbom
+          path: sbom/
+
+      - name: SBOM upload
+        uses: advanced-security/[email protected]
+        with:
+          filePath: sbom/spdx.json
diff --git a/Makefile b/Makefile
@@ -252,3 +252,35 @@ kind-deploy-k0smotron: release k0smotron-image-bundle.tar
 	kubectl apply -f install.yaml
 	kubectl rollout restart -n k0smotron deployment/k0smotron-controller-manager
 
+sbom/spdx.json: go.mod
+	mkdir -p -- '$(dir $@)'
+	docker run --rm \
+	  -v "$(CURDIR)/go.mod:/k0s/go.mod" \
+	  -v "$(CURDIR)/embedded-bins/staging/linux/bin:/k0s/bin" \
+	  -v "$(CURDIR)/syft.yaml:/tmp/syft.yaml" \
+	  -v "$(CURDIR)/sbom:/out" \
+	  --user $(BUILD_UID):$(BUILD_GID) \
+	  anchore/syft:v0.90.0 \
+	  /k0s -o [email protected]=/out/spdx.json -c /tmp/syft.yaml
+
+.PHONY: sign-sbom
+sign-sbom: sbom/spdx.json
+	docker run --rm \
+	  -v "$(CURDIR):/k0s" \
+	  -v "$(CURDIR)/sbom:/out" \
+	  -e COSIGN_PASSWORD="$(COSIGN_PASSWORD)" \
+	  gcr.io/projectsigstore/cosign:v2.2.0 \
+	  sign-blob \
+	  --key /k0s/cosign.key \
+	  --tlog-upload=false \
+	  /k0s/sbom/spdx.json --output-file /out/spdx.json.sig
+
+.PHONY: sign-pub-key
+sign-pub-key:
+	docker run --rm \
+	  -v "$(CURDIR):/k0s" \
+	  -v "$(CURDIR)/sbom:/out" \
+	  -e COSIGN_PASSWORD="$(COSIGN_PASSWORD)" \
+	  gcr.io/projectsigstore/cosign:v2.2.0 \
+	  public-key \
+	  --key /k0s/cosign.key --output-file /out/cosign.pub
diff --git a/syft.yaml b/syft.yaml
@@ -0,0 +1,4 @@
+file-metadata:
+  cataloger:
+    enabled: true
+  digests: ["sha256"]