Add SBOM generation for Cyber Resilience Act compliance

camilamacedo86 · camilamacedo86 · commit 74aba178b6cd · 2024-10-30T07:15:20.000Z
- Integrated SBOM generation in GoReleaser using Syft to produce CycloneDX SBOMs.
- Updated GitHub Actions workflow to install Syft, enabling automated SBOM creation on release.
- This enhancement is part of ongoing efforts to align with the EU Cyber Resilience Act, ensuring transparency and security in our software supply chain.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,7 +11,6 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
 
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -23,8 +22,11 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: '~1.22'
-      - name: Clean dist directory
         run: rm -rf dist || true
+      - name: Install Syft to generate SBOMs
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b $HOME/bin
+          echo "$HOME/bin" >> $GITHUB_PATH
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
diff --git a/build/.goreleaser.yml b/build/.goreleaser.yml
@@ -68,3 +68,12 @@ release:
   github:
     owner: kubernetes-sigs
     name: kubebuilder
+
+# Add the SBOM configuration at the end to generate SBOM files
+sboms:
+  - id: kubebuilder-sbom
+    artifacts: binary
+    cmd: syft
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+    documents:
+      - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.cyclonedx.sbom.json"
