chore: Onboard to Silkbomb to generate SSDLC reports, SBOM and generate augmented SBOM on demand (#463)

Author: oarbusi

.github/workflows/generate-augmented-sbom.yml

@@ -0,0 +1,49 @@
+name: Augment SBOM
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: "Release version (e.g. 3.12.1)"
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  augment-sbom:
+    runs-on: ubuntu-latest
+    env:
+      KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+      KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+      KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
+
+      - name: Augment SBOM with Kondukto
+        env:
+          RELEASE_VERSION: ${{ inputs.release_version }}
+        run: ./scripts/compliance/augment-sbom.sh
+
+      - name: Generate SSDLC report
+        env:
+          AUTHOR: ${{ github.actor }}
+          VERSION: ${{ inputs.release_version }}
+          AUGMENTED_REPORT: "true"
+        run: ./scripts/compliance/gen-ssdlc-report.sh
+
+      - name: Upload augmented SBOM as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: augmented_sbom_and_ssdlc_report
+          path: |
+            compliance/v${{ inputs.release_version }}/augmented-sbom-v${{ inputs.release_version }}-${{ steps.date.outputs.date }}.json
+            compliance/v${{ inputs.release_version }}/ssdlc-compliance-${{ inputs.release_version }}-${{ steps.date.outputs.date }}.md
+          if-no-files-found: error 

.github/workflows/package.yml

@@ -29,7 +29,7 @@ jobs:
         with:
           node-version: 18.x
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -50,7 +50,7 @@ jobs:
         with:
           node-version: 18.x
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -70,7 +70,7 @@ jobs:
         with:
           node-version: 18.x
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -90,7 +90,7 @@ jobs:
         with:
           node-version: 18.x
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -111,7 +111,7 @@ jobs:
         with:
           node-version: 18.x
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}

.github/workflows/release.yml

@@ -314,3 +314,57 @@ jobs:
           labels: failed-release
           title: Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Releases failed
           body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+      - name: Generate PURL and SBOM
+        run: |
+          ./scripts/compliance/gen-purls.sh
+          ./scripts/compliance/gen-sbom.sh
+        env:
+          SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+      - name: Upload SBOM to Kondukto
+        run: ./scripts/compliance/upload-sbom.sh
+        env:
+          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+          SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - name: Generate SSDLC report
+        run: |
+          AUTHOR="${{ github.actor }}"
+          export AUTHOR
+          VERSION="${{ steps.extract-version.outputs.VERSION }}"
+          export VERSION
+          ./scripts/compliance/gen-ssdlc-report.sh
+        env:
+          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+          SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec
+        with:
+          gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+      - name: Commit changes
+        shell: bash
+        run: |
+          if [[ $(git status --porcelain) ]]; then
+            git pull
+            git config --local user.email [email protected]
+            git config --local user.name svc-apix-bot
+            git remote set-url origin https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
+            git add compliance/v*/*
+            git commit -m "chore: Update SSDLC report for ${{ steps.extract-version.outputs.VERSION }}"
+            git push origin
+          else
+            echo "No changes to commit."
+          fi
+      - name: Upload SBOM as release artifact
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631
+        with:
+          files: compliance/sbom.json
+          tag_name: ${{ steps.extract-version.outputs.VERSION }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

scripts/compliance/augment-sbom.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${RELEASE_VERSION:?RELEASE_VERSION environment variable not set}"
+DATE=$(date +'%Y-%m-%d')
+
+echo "Augmenting SBOM..."
+docker run \
+	--pull=always \
+	--platform="linux/amd64" \
+	--rm \
+	-v "${PWD}:/pwd" \
+	-e KONDUKTO_TOKEN \
+	"$SILKBOMB_IMG" \
+	augment \
+	--sbom-in "/pwd/compliance/sbom.json" \
+	--repo "$KONDUKTO_REPO" \
+	--branch "$KONDUKTO_BRANCH_PREFIX" \
+	--sbom-out "/pwd/compliance/augmented-sbom-v${RELEASE_VERSION}-${DATE}.json"

scripts/compliance/gen-purls.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Reference: .cursor/rules - be surgical, only output PURLs, use jq for JSON parsing
+
+if ! command -v jq &> /dev/null; then
+  echo "jq is required but not installed. Please install jq to use this script."
+  exit 1
+fi
+
+mkdir -p compliance
+
+PKG_JSON=package.json
+
+# Output all npm dependencies, devDependencies, and peerDependencies as PURLs to compliance/purls.txt
+yq -r --output-format json '.dependencies | to_entries | .[] |  "pkg:npm/" + .key + "@" + .value' $PKG_JSON > compliance/purls.txt
+yq -r --output-format json '.devDependencies | to_entries | .[] |  "pkg:npm/" + .key + "@" + .value' $PKG_JSON >> compliance/purls.txt
+yq -r --output-format json '.peerDependencies | to_entries | .[] |  "pkg:npm/" + .key + "@" + .value' $PKG_JSON >> compliance/purls.txt

scripts/compliance/gen-sbom.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Generating SBOM..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  "$SILKBOMB_IMG" \
+  update \
+  --purls /pwd/compliance/purls.txt \
+  --sbom-out /pwd/compliance/sbom.json

scripts/compliance/gen-ssdlc-report.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+release_date=${DATE:-$(date -u '+%Y-%m-%d')}
+
+export DATE="${release_date}"
+
+if [ -z "${AUTHOR:-}" ]; then
+  AUTHOR=$(git config user.name)
+fi
+
+if [ -z "${VERSION:-}" ]; then
+  VERSION=$(git tag --list 'v*' --sort=-v:refname | head -1 | cut -d 'v' -f 2)
+fi
+
+if [ "${AUGMENTED_REPORT:-false}" = "true" ]; then
+  target_dir="."
+  file_name="ssdlc-compliance-${VERSION}-${DATE}.md"
+  SBOM_TEXT="  - See Augmented SBOM manifests (CycloneDX in JSON format):
+      - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json'
+      - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies."
+
+else # If not augmented, generate the standard report
+  target_dir="compliance/v${VERSION}"
+  file_name="ssdlc-compliance-${VERSION}.md"
+  SBOM_TEXT="  - See SBOM Lite manifests (CycloneDX in JSON format):
+      - https://github.com/mongodb/awscdk-resources-mongodbatlas/releases/download/v${VERSION}/sbom.json"
+  # Ensure awscdk-resources-mongodbatlas version directory exists
+  mkdir -p "${target_dir}"
+fi
+
+export AUTHOR
+export VERSION
+export SBOM_TEXT
+
+echo "Generating SSDLC report for MongoDB Atlas AWS CDK Resources version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
+
+envsubst < templates/ssdlc-compliance.template.md \
+  > "${target_dir}/${file_name}"
+
+echo "SSDLC compliance report ready. Files in ${target_dir}/:"
+ls -l "${target_dir}/"
+
+echo "Printing the generated report:"
+cat "${target_dir}/${file_name}"

scripts/compliance/upload-sbom.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Uploading SBOMs..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  -e KONDUKTO_TOKEN \
+  "$SILKBOMB_IMG" \
+  upload \
+  --sbom-in /pwd/compliance/sbom.json \
+  --repo "$KONDUKTO_REPO"  \
+  --branch "$KONDUKTO_BRANCH_PREFIX"

templates/ssdlc-compliance.template.md

@@ -0,0 +1,29 @@
+SSDLC Compliance Report: MongoDB Atlas AWS CDK Resources ${VERSION}
+=================================================================
+
+- Release Creator: ${AUTHOR}
+- Created On:       ${DATE}
+
+Overview:
+
+- **Product and Release Name**
+  - MongoDB Atlas AWS CDK Resources ${VERSION}, ${DATE}.
+
+- **Process Document**
+  - https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities
+
+- **Tool used to track third party vulnerabilities**
+  - [Kondukto](https://arcticglow.kondukto.io/)
+
+- **Dependency Information**
+${SBOM_TEXT}
+
+- **Security Testing Report**
+  - Available as needed from Cloud Security.
+
+- **Security Assessment Report**
+  - Available as needed from Cloud Security.
+
+Assumptions and attestations:
+
+- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.