Skip to content

add code for attaching sbom #336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
rizul2108 wants to merge 3 commits into from
Closed

add code for attaching sbom #336

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
30dfbe4
add code for attaching sbom
rizul2108 Feb 27, 2025
d95aae7
Merge branch 'main' into attaching-SBOM
rizul2108 Feb 27, 2025
bc8bd16
Merge branch 'main' into attaching-SBOM
rizul2108 Apr 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 59 additions & 2 deletions dagger/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,7 @@ func getVersion(tags []string) string {
return "latest"
}

// PublishImageAndSign builds and publishes container images to a registry with a specific tags and then signs them using Cosign.
// PublishImageAndSign builds and publishes container images to a registry with a specific tags and then signs and attests them with their SBOM using Cosign.
func (m *HarborCli) PublishImageAndSign(
ctx context.Context,
registry string,
Expand All @@ -334,7 +334,13 @@ func (m *HarborCli) PublishImageAndSign(
actionsIdTokenRequestUrl string,
) (string, error) {
imageAddrs := m.PublishImage(ctx, registry, registryUsername, imageTags, registryPassword)
_, err := m.Sign(

sbom, err := m.GenerateSBOM(ctx)
if err != nil {
return "", fmt.Errorf("failed to generate SBOM: %w", err)
}

_, err = m.Sign(
ctx,
githubToken,
actionsIdTokenRequestUrl,
Expand All @@ -343,14 +349,38 @@ func (m *HarborCli) PublishImageAndSign(
registryPassword,
imageAddrs[0],
)

if err != nil {
return "", fmt.Errorf("failed to sign image: %w", err)
}

err = m.AttestImage(
ctx,
registryUsername,
registryPassword,
imageAddrs[0],
sbom,
)
if err != nil {
return "", fmt.Errorf("failed to attest image: %w", err)
}


fmt.Printf("Signed image: %s\n", imageAddrs)
return imageAddrs[0], nil
}

// GenerateSBOM generates an SBOM from the go.mod file using Syft
func (m *HarborCli) GenerateSBOM(ctx context.Context) (string, error) {
sbom := dag.Container().
From(fmt.Sprintf("anchore/syft:%s", SYFT_VERSION)).
WithMountedDirectory("/src", m.Source).
WithWorkdir("/src").
WithExec([]string{"syft", "packages", "go.mod", "-o", "spdx-json"})

return sbom.Stdout(ctx)
}

// Sign signs a container image using Cosign, works also with GitHub Actions
func (m *HarborCli) Sign(ctx context.Context,
// +optional
Expand Down Expand Up @@ -388,3 +418,30 @@ func (m *HarborCli) Sign(ctx context.Context,
"--timeout", "1m",
}).Stdout(ctx)
}

// AttestImage attests the image with the SBOM using Cosign
func (m *HarborCli) AttestImage(
ctx context.Context,
registryUsername string,
registryPassword *dagger.Secret,
imageAddr string,
sbom string,
) error {
registryPasswordPlain, _ := registryPassword.Plaintext(ctx)

cosign_ctr := dag.Container().From("cgr.dev/chainguard/cosign")

sbomFile := cosign_ctr.WithNewFile("/tmp/sbom.json", sbom)

_, err := sbomFile.WithSecretVariable("REGISTRY_PASSWORD", registryPassword).
WithExec([]string{
"cosign", "attest", "--yes", "--type", "spdx",
"--registry-username", registryUsername,
"--registry-password", registryPasswordPlain,
"--predicate", "/tmp/sbom.json",
imageAddr,
"--timeout", "1m",
}).Stdout(ctx)

return err
}