Skip to content

chore: Onboard to Silkbomb to generate SSDLC reports, SBOM and generate augmented SBOM on demand #463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jun 18, 2025
Merged

chore: Onboard to Silkbomb to generate SSDLC reports, SBOM and generate augmented SBOM on demand #463

merged 14 commits into from
Jun 18, 2025

Conversation

@oarbusi
Copy link
Collaborator

@oarbusi oarbusi commented Jun 16, 2025
edited
Loading

Proposed changes

Example of SSDLC report and SBOM generation in 8584443

Link to any related issue(s): CLOUDP-325046

Type of change:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as
    expected)
  • This change requires a documentation update

Required Checklist:

  • I have signed the MongoDB CLA
  • I have added tests that prove my fix is effective or that my feature works
  • I have added any necessary documentation (if appropriate)
  • I have run make fmt and formatted my code
  • I have tested the CDK constructor in a CFN stack. See TESTING.md
  • If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Further comments

@oarbusi oarbusi marked this pull request as ready for review June 16, 2025 14:59
Copilot AI review requested due to automatic review settings June 16, 2025 14:59
@oarbusi oarbusi requested a review from a team as a code owner June 16, 2025 14:59
Copilot AI reviewed Jun 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a set of scripts and workflow configurations to generate SSDLC reports, SBOMs, and augmented SBOMs on demand using Silkbomb. Key changes include:

  • New templates and scripts for generating SSDLC compliance reports and SBOMs.
  • Added GitHub workflows for integrating SBOM generation and report updates into the release process.
  • Introduced a workflow for augmenting SBOMs prior to release.

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
templates/ssdlc-compliance.template.md New Markdown template for SSDLC Compliance Reports
scripts/compliance/upload-sbom.sh Script to upload SBOMs to Kondukto
scripts/compliance/gen-ssdlc-report.sh Script to generate SSDLC reports with support for augmented and standard
scripts/compliance/gen-sbom.sh Script to generate SBOM using docker and Silkbomb image
scripts/compliance/gen-purls.sh Script to generate PURLs from package.json dependencies
scripts/compliance/augment-sbom.sh Script to augment SBOM via docker with Kondukto
.github/workflows/release.yml Workflow updates to integrate SBOM generation, report generation, and upload
.github/workflows/generate-augmented-sbom.yml Workflow to trigger augmented SBOM generation and report creation

@oarbusi
Copy link
Collaborator Author

oarbusi commented Jun 16, 2025

Testing of the GH actions changes in progress(augmented SBOM + changes in the release)

lantoli
lantoli reviewed Jun 16, 2025
View reviewed changes
lantoli
lantoli reviewed Jun 16, 2025
View reviewed changes
lantoli
lantoli reviewed Jun 16, 2025
View reviewed changes
.github/workflows/release.yml
passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Commit changes
Copy link
Member

@lantoli lantoli Jun 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we committing changes in CDK or TF repo?

Copy link
Collaborator Author

@oarbusi oarbusi Jun 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to CDK. fixed, thanks

lantoli
lantoli reviewed Jun 17, 2025
View reviewed changes
lantoli
lantoli reviewed Jun 17, 2025
View reviewed changes
lantoli
lantoli reviewed Jun 17, 2025
View reviewed changes
@oarbusi oarbusi merged commit 1c66bad into main Jun 18, 2025
13 checks passed
@oarbusi oarbusi deleted the CLOUDP-325046 branch June 18, 2025 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lantoli lantoli lantoli approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oarbusi @lantoli