You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, first of all, I have to say Linkerd rocks in a lot of ways (great project and using Rust)!
I'm working with the team that builds Syft - an open source tool for building a software bill of materials (SBOM) from code and container images and we would love to help other open source projects generate SBOMs!
A little background: supply chain security is a big topic, certainly in the USA, with a recent high profile hacks and the executive order signed, it is increasingly becoming a requirement to have SBOMs. Syft supports a wide range of technologies, including Go and Rust, and due to the fact Linkerd uses GitHub Actions and releases, it should not be very complicated to add to the workflows using the sbom-action. Syft itself is quite fast generally, so it wouldn't add any significant time to the pipelines.
Is this something that the community would like to see?
I've had a look through the build process and I think I found most of the appropriate places are to plug things in, but I could definitely be missing some important bits! I took a stab at what this might look like in a fork of mine in this commit which ends up being 4 actions - 3 for generating SBOMs for different components and a 4th for attaching assets to the release. I also ran a release on my fork (after doing some modifications to the build like using a local docker registry, disabling a number of steps that wouldn't work, etc.) and here is an example release run. You'll see it adds SBOMs as workflow artifacts for all builds and when run using the release it also adds them as release assets. This at least checks the box off for having SBOMs available. And we have lots more plans to make this way more useful in the coming months.
Is this a worthwhile endeavor? If so, I would be happy to make a PR once it sounds like I'm on the right track. And of course any feedback how we could improve the tools would be extremely valuable, too!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi, first of all, I have to say Linkerd rocks in a lot of ways (great project and using Rust)!
I'm working with the team that builds Syft - an open source tool for building a software bill of materials (SBOM) from code and container images and we would love to help other open source projects generate SBOMs!
A little background: supply chain security is a big topic, certainly in the USA, with a recent high profile hacks and the executive order signed, it is increasingly becoming a requirement to have SBOMs. Syft supports a wide range of technologies, including Go and Rust, and due to the fact Linkerd uses GitHub Actions and releases, it should not be very complicated to add to the workflows using the sbom-action. Syft itself is quite fast generally, so it wouldn't add any significant time to the pipelines.
Is this something that the community would like to see?
I've had a look through the build process and I think I found most of the appropriate places are to plug things in, but I could definitely be missing some important bits! I took a stab at what this might look like in a fork of mine in this commit which ends up being 4 actions - 3 for generating SBOMs for different components and a 4th for attaching assets to the release. I also ran a release on my fork (after doing some modifications to the build like using a local docker registry, disabling a number of steps that wouldn't work, etc.) and here is an example release run. You'll see it adds SBOMs as workflow artifacts for all builds and when run using the release it also adds them as release assets. This at least checks the box off for having SBOMs available. And we have lots more plans to make this way more useful in the coming months.
Is this a worthwhile endeavor? If so, I would be happy to make a PR once it sounds like I'm on the right track. And of course any feedback how we could improve the tools would be extremely valuable, too!
Beta Was this translation helpful? Give feedback.
All reactions