Add docs for fetching SBOMs (#711)

willdollman · web-flow · commit f44221840e0c · 2024-11-05T15:24:02.000Z
Add public-facing docs for fetching SBOMs using `src`.
&lt;!-- Explain the changes introduced in your PR --&gt;

## Pull Request approval

Although pull request approval is not enforced for this repository in
order to reduce friction, merging without a review will generate a
ticket for the docs team to review your changes. So if possible, have
your pull request approved before merging.

## TODO

- [x] Add screenshot of version
- [x] Make it clear that you don't need to install before fetching SBOMs
- [x] Add successful output from command
- [x] Update version in examples after release
diff --git a/docs/cli/how-tos/fetch_sboms.mdx b/docs/cli/how-tos/fetch_sboms.mdx
@@ -0,0 +1,34 @@
+# How to fetch SBOMs for Sourcegraph
+
+Sourcegraph publishes a Software Bill of Materials (SBOM) for each of its container images. The SBOMs for each Sourcegraph release are signed, and stored in our container registry alongside our published container images.
+
+To retrieve the SBOMs for a specific release, you can use the `src` command line interface for Sourcegraph:
+
+1. Install `src` by following the [Quickstart](../quickstart.mdx).
+2. Install `cosign` by following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/).
+3. Identify the version of Sourcegraph your require SBOMs for. This may be a [recent release](../../CHANGELOG.mdx), or your instance's current version.
+    1. SBOMs are only available for Sourcegraph release 5.9.0 and later.
+    2. Find your instance's current version by checking your deployment, or by visiting the Settings page on your Sourcegraph instance and checking the version shown in the bottom left corner.
+    ![](https://storage.googleapis.com/sourcegraph-assets/docs/images/settings/view-version-scaled.png)
+4. Run `src sbom fetch -v <version>` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph.
+    ```
+    # Fetch SBOMs for Sourcegraph release 5.9.0
+    $ src sbom fetch -v 5.9.0
+
+    Fetching SBOMs and validating signatures for all 39 images in the Sourcegraph 5.9.0 release...
+
+    ✅ sourcegraph/appliance
+    ✅ sourcegraph/batcheshelper
+    ✅ sourcegraph/bundled-executor
+
+    [...]
+
+    🟢 Fetched verified SBOMs for 39 images
+
+    Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.9.0`.
+
+    Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used.
+    ```
+5. Once completed, you can find the set of validated SBOMs under `sourcegraph-sboms/sourcegraph-<version>/`.
+
+**Note:** `src sbom fetch` will retrieve SBOMs for **all** containers that make up a Sourcegraph release. Your Sourcegraph instance will use only a subset of these containers - please check your deployment to determine which SBOM files are relevant to your deployment.
diff --git a/docs/cli/how-tos/index.mdx b/docs/cli/how-tos/index.mdx
@@ -5,3 +5,5 @@ The following how-tos apply to the `src` command line interface to Sourcegraph:
 - [Creating an access token](/cli/how-tos/creating_an_access_token)
 - [Revoking an access token](/cli/how-tos/revoking_an_access_token)
 - [Managing access tokens](/cli/how-tos/managing_access_tokens)
+- [How to fetch SBOMs for Sourcegraph](/cli/how-tos/fetch_sboms)
+
