fix: build attestations by including provenance and SBOM (#103)

Author: Djaytan

src/main/docker/Dockerfile

@@ -16,6 +16,9 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
 FROM docker.io/eclipse-temurin:21-jdk-alpine@sha256:2f2f553ce09d25e2d2f0f521ab94cd73f70c9b21327a29149c23a2b63b8e29a0 AS jre-build
 
 # Create a custom Java runtime.

src/main/docker/docker-bake.hcl

@@ -65,7 +65,6 @@ target "dev" {
   ]
 }
 
-# TODO: OWASP RULE#13 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-13-enhance-supply-chain-security
 target "release" {
   description = "Builds the image for production purposes."
   args = {
@@ -96,4 +95,13 @@ target "release" {
     annotation("org.opencontainers.image.created", "${formatdate("YYYY-MM-DD'T'hh:mm:ss'Z'", timestamp())}"),
     notequal(REVISION, "") ? annotation("org.opencontainers.image.revision", REVISION) : ""
   ]
+  attest = [
+    {
+      type = "provenance",
+      mode = "max",
+    },
+    {
+      type = "sbom",
+    }
+  ]
 }