Add vuln scanner and SBOM support, flip to new pipeline engine

- Add vuln.Scanner interface with GrafeasScanner (GCP Container Analysis)
  and NoopScanner
- Implement WriteSBOMs to copy pre-generated SBOMs from staging to production
  using cosign tag convention
- Default UseLegacyPipeline to false, add deprecation warning for legacy path
- Wire CLI flags: --use-legacy-pipeline, --require-provenance,
  --allowed-builders, --allowed-source-repos
- Use transport.Error for reliable 404 detection in signature and SBOM copies
- Fix New() to use passed options instead of DefaultOptions
- Add tests for SBOM tag derivation, vuln scanner, and promoter paths

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>

Author: saschagrunert

cmd/kpromo/cmd/cip/cip.go

@@ -253,4 +253,32 @@ check. Found vulnerabilities at or above this threshold will result in the
 vulnerability check failing [severity levels between 0 and 5; 0 - UNSPECIFIED,
 1 - MINIMAL, 2 - LOW, 3 - MEDIUM, 4 - HIGH, 5 - CRITICAL]`,
 	)
+
+	CipCmd.PersistentFlags().BoolVar(
+		&runOpts.UseLegacyPipeline, //nolint:staticcheck // intentional deprecated flag
+		"use-legacy-pipeline",
+		options.DefaultOptions.UseLegacyPipeline, //nolint:staticcheck // intentional deprecated flag
+		"use the legacy sequential promotion code path instead of the new pipeline engine",
+	)
+
+	CipCmd.PersistentFlags().BoolVar(
+		&runOpts.RequireProvenance,
+		"require-provenance",
+		options.DefaultOptions.RequireProvenance,
+		"require valid SLSA provenance attestations before promotion",
+	)
+
+	CipCmd.PersistentFlags().StringSliceVar(
+		&runOpts.AllowedBuilders,
+		"allowed-builders",
+		options.DefaultOptions.AllowedBuilders,
+		"comma-separated list of acceptable builder identities for provenance verification",
+	)
+
+	CipCmd.PersistentFlags().StringSliceVar(
+		&runOpts.AllowedSourceRepos,
+		"allowed-source-repos",
+		options.DefaultOptions.AllowedSourceRepos,
+		"comma-separated list of acceptable source repository URLs for provenance verification",
+	)
 }

internal/promoter/image/sign.go

@@ -18,7 +18,9 @@ package imagepromoter
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"net/http"
 	"os"
 	"strings"
 
@@ -27,6 +29,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/google/go-containerregistry/pkg/gcrane"
 	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
 	"github.com/nozzle/throttler"
 	"github.com/sigstore/sigstore/pkg/tuf"
 	"github.com/sirupsen/logrus"
@@ -44,6 +47,7 @@ import (
 const (
 	oidcTokenAudience  = "sigstore"
 	signatureTagSuffix = ".sig"
+	sbomTagSuffix      = ".sbom"
 
 	TestSigningAccount = "k8s-infra-promoter-test-signer@k8s-cip-test-prod.iam.gserviceaccount.com"
 )
@@ -60,7 +64,7 @@ func (di *DefaultPromoterImplementation) ValidateStagingSignatures(
 		refsToEdges[ref] = edge
 	}
 
-	refs := []string{}
+	refs := make([]string, 0, len(refsToEdges))
 	for ref := range refsToEdges {
 		refs = append(refs, ref)
 	}
@@ -258,7 +262,8 @@ func (di *DefaultPromoterImplementation) copyAttachedObjects(edge *reg.Promotion
 	if err := crane.Copy(srcRef.String(), dstRef.String(), craneOpts...); err != nil {
 		// If the signature layer does not exist it means that the src image
 		// is not signed, so we catch the error and return nil
-		if strings.Contains(err.Error(), "MANIFEST_UNKNOWN") {
+		var terr *transport.Error
+		if errors.As(err, &terr) && terr.StatusCode == http.StatusNotFound {
 			logrus.Debugf("Reference %s is not signed, not copying", srcRef.String())
 			return nil
 		}
@@ -327,14 +332,71 @@ func (di *DefaultPromoterImplementation) replicateSignatures(
 	return nil
 }
 
-// WriteSBOMs writes SBOMs to each of the newly promoted images and stores
-// them along the signatures in the registry.
+// WriteSBOMs copies pre-generated SBOMs from the staging registry to each
+// production registry for the promoted images. SBOMs are expected to be
+// attached in staging (e.g., by the build system) and are identified by
+// the cosign SBOM tag convention (sha256-<hash>.sbom).
 func (di *DefaultPromoterImplementation) WriteSBOMs(
-	_ *options.Options, _ *reg.SyncContext, _ map[reg.PromotionEdge]interface{},
+	_ *options.Options, _ *reg.SyncContext, edges map[reg.PromotionEdge]interface{},
 ) error {
+	if len(edges) == 0 {
+		logrus.Info("No images were promoted. No SBOMs to copy.")
+		return nil
+	}
+
+	for edge := range edges {
+		// Skip signature and attestation layers
+		if strings.HasSuffix(string(edge.DstImageTag.Tag), ".sig") ||
+			strings.HasSuffix(string(edge.DstImageTag.Tag), ".att") ||
+			strings.HasSuffix(string(edge.DstImageTag.Tag), ".sbom") ||
+			edge.DstImageTag.Tag == "" {
+			continue
+		}
+
+		if err := di.copySBOM(&edge); err != nil {
+			return fmt.Errorf("copying SBOM for %s: %w", edge.DstReference(), err)
+		}
+	}
+
 	return nil
 }
 
+// copySBOM copies an SBOM from the staging registry to the production registry
+// for a single promotion edge. If no SBOM exists in staging, this is not an error.
+func (di *DefaultPromoterImplementation) copySBOM(edge *reg.PromotionEdge) error {
+	sbomTag := digestToSBOMTag(edge.Digest)
+	srcRefString := fmt.Sprintf(
+		"%s/%s:%s", edge.SrcRegistry.Name, edge.SrcImageTag.Name, sbomTag,
+	)
+	dstRefString := fmt.Sprintf(
+		"%s/%s:%s", edge.DstRegistry.Name, edge.DstImageTag.Name, sbomTag,
+	)
+
+	craneOpts := []crane.Option{
+		crane.WithAuthFromKeychain(gcrane.Keychain),
+		crane.WithUserAgent(image.UserAgent),
+		crane.WithTransport(di.getSigningTransport()),
+	}
+
+	logrus.Infof("SBOM copy: %s to %s", srcRefString, dstRefString)
+	if err := crane.Copy(srcRefString, dstRefString, craneOpts...); err != nil {
+		// If the SBOM does not exist in staging, skip silently
+		var terr *transport.Error
+		if errors.As(err, &terr) && terr.StatusCode == http.StatusNotFound {
+			logrus.Debugf("No SBOM found for %s, skipping", srcRefString)
+			return nil
+		}
+		return fmt.Errorf("copying SBOM %s to %s: %w", srcRefString, dstRefString, err)
+	}
+	return nil
+}
+
+// digestToSBOMTag takes a digest and infers the tag name where
+// its SBOM can be found.
+func digestToSBOMTag(dg image.Digest) string {
+	return strings.ReplaceAll(string(dg), "sha256:", "sha256-") + sbomTagSuffix
+}
+
 // GetIdentityToken returns an identity token for the selected service account
 // in order for this function to work, an account has to be already logged. This
 // can be achieved using the.

internal/promoter/image/sign_test.go

@@ -26,6 +26,7 @@ import (
 	reg "sigs.k8s.io/promo-tools/v4/internal/legacy/dockerregistry"
 	"sigs.k8s.io/promo-tools/v4/internal/legacy/dockerregistry/registry"
 	options "sigs.k8s.io/promo-tools/v4/promoter/image/options"
+	"sigs.k8s.io/promo-tools/v4/types/image"
 )
 
 // TestGetIdentityToken tests the identity token generation logic. By default
@@ -55,6 +56,58 @@ func TestGetIdentityToken(t *testing.T) {
 	require.NotEmpty(t, tok)
 }
 
+func TestDigestToSignatureTag(t *testing.T) {
+	t.Parallel()
+
+	for _, tc := range []struct {
+		name   string
+		digest image.Digest
+		want   string
+	}{
+		{
+			name:   "standard sha256 digest",
+			digest: "sha256:709e17a9c17018997724ed19afc18dbf576e9af10dfe78c13b34175027916d8f",
+			want:   "sha256-709e17a9c17018997724ed19afc18dbf576e9af10dfe78c13b34175027916d8f.sig",
+		},
+		{
+			name:   "bare sha256 prefix",
+			digest: "sha256:abc",
+			want:   "sha256-abc.sig",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tc.want, digestToSignatureTag(tc.digest))
+		})
+	}
+}
+
+func TestDigestToSBOMTag(t *testing.T) {
+	t.Parallel()
+
+	for _, tc := range []struct {
+		name   string
+		digest image.Digest
+		want   string
+	}{
+		{
+			name:   "standard sha256 digest",
+			digest: "sha256:709e17a9c17018997724ed19afc18dbf576e9af10dfe78c13b34175027916d8f",
+			want:   "sha256-709e17a9c17018997724ed19afc18dbf576e9af10dfe78c13b34175027916d8f.sbom",
+		},
+		{
+			name:   "bare sha256 prefix",
+			digest: "sha256:abc",
+			want:   "sha256-abc.sbom",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tc.want, digestToSBOMTag(tc.digest))
+		})
+	}
+}
+
 func TestTargetIdentity(t *testing.T) {
 	t.Parallel()
 

promoter/image/options/options.go

@@ -125,8 +125,8 @@ type Options struct {
 	// MaxSignatureOps maximum number of concurrent signature operations
 	MaxSignatureOps int
 
-	// UseLegacyPipeline uses the legacy sequential promotion code path
-	// instead of the new pipeline engine. Defaults to true during transition.
+	// Deprecated: UseLegacyPipeline uses the legacy sequential promotion
+	// code path instead of the new pipeline engine. Defaults to false.
 	UseLegacyPipeline bool
 
 	// RequireProvenance controls whether provenance verification is required
@@ -159,7 +159,7 @@ var DefaultOptions = &Options{
 	SignCheckIssuerRegexp:   "",
 	MaxSignatureCopies:      50, // Maximum number of concurrent signature copies
 	MaxSignatureOps:         50, // Maximum number of concurrent signature operations
-	UseLegacyPipeline:       true,
+	UseLegacyPipeline:       false,
 }
 
 func (o *Options) Validate() error {

promoter/image/promoter.go

@@ -60,7 +60,7 @@ func New(opts *options.Options) *Promoter {
 	di.SetSigningTransport(signRT)
 
 	return &Promoter{
-		Options: options.DefaultOptions,
+		Options: opts,
 		impl:    di,
 		budget:  budget,
 	}
@@ -122,7 +122,7 @@ type promoterImplementation interface {
 // PromoteImages is the main method for image promotion.
 // It runs by taking all its parameters from a set of options.
 func (p *Promoter) PromoteImages(ctx context.Context, opts *options.Options) error {
-	if opts.UseLegacyPipeline {
+	if opts.UseLegacyPipeline { //nolint:staticcheck // intentional legacy routing
 		return p.promoteImagesLegacy(opts)
 	}
 	return p.promoteImagesPipeline(ctx, opts)
@@ -259,9 +259,12 @@ func (p *Promoter) promoteImagesPipeline(ctx context.Context, opts *options.Opti
 	return pipe.Run(ctx)
 }
 
-// promoteImagesLegacy is the original sequential promotion code path.
+// Deprecated: promoteImagesLegacy is the original sequential promotion code path.
+// Use the pipeline-based path (--use-legacy-pipeline=false) instead.
+// This will be removed in a future release.
 func (p *Promoter) promoteImagesLegacy(opts *options.Options) error {
-	logrus.Infof("PromoteImages start (legacy pipeline)")
+	logrus.Warn("Using deprecated legacy promotion pipeline. " +
+		"Set --use-legacy-pipeline=false to use the new pipeline engine.")
 	if err := p.impl.ValidateOptions(opts); err != nil {
 		return fmt.Errorf("validating options: %w", err)
 	}