Skip to content

Add docs for fetching SBOMs #711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Nov 5, 2024
+36 −0
Merged

Add docs for fetching SBOMs #711

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
f201965
Add initial public SBOM fetching instructions
willdollman Oct 15, 2024
6c70819
mdx
willdollman Oct 15, 2024
6392acd
Update with suggestions
willdollman Oct 16, 2024
ae8d3ac
Tweak
willdollman Oct 16, 2024
9ff3828
Scaled image
willdollman Oct 16, 2024
b3f160c
Update with version
willdollman Oct 16, 2024
5e46baa
Bump release
willdollman Oct 16, 2024
e83da88
Update for version 5.9.0
willdollman Nov 5, 2024
58bf507
Tweaks
willdollman Nov 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions docs/cli/how-tos/fetch_sboms.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# How to fetch SBOMs for Sourcegraph

Sourcegraph publishes a Software Bill of Materials (SBOM) for each of its container images. The SBOMs for each Sourcegraph release are signed, and stored in our container registry alongside our published container images.

To retrieve the SBOMs for a specific release, you can use the `src` command line interface for Sourcegraph:

1. Install `src` by following the [Quickstart](../quickstart.mdx).
2. Install `cosign` by following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/).
3. Identify the version of Sourcegraph your require SBOMs for. This may be a [recent release](../../CHANGELOG.mdx), or your instance's current version.
1. SBOMs are only available for Sourcegraph release 5.9.0 and later.
2. Find your instance's current version by checking your deployment, or by visiting the Settings page on your Sourcegraph instance and checking the version shown in the bottom left corner.
![](https://storage.googleapis.com/sourcegraph-assets/docs/images/settings/view-version-scaled.png)
4. Run `src sbom fetch -v <version>` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph.
```
# Fetch SBOMs for Sourcegraph release 5.9.0
$ src sbom fetch -v 5.9.0

Fetching SBOMs and validating signatures for all 39 images in the Sourcegraph 5.9.0 release...

✅ sourcegraph/appliance
✅ sourcegraph/batcheshelper
✅ sourcegraph/bundled-executor

[...]

🟢 Fetched verified SBOMs for 39 images

Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.9.0`.

Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used.
```
5. Once completed, you can find the set of validated SBOMs under `sourcegraph-sboms/sourcegraph-<version>/`.

**Note:** `src sbom fetch` will retrieve SBOMs for **all** containers that make up a Sourcegraph release. Your Sourcegraph instance will use only a subset of these containers - please check your deployment to determine which SBOM files are relevant to your deployment.
2 changes: 2 additions & 0 deletions docs/cli/how-tos/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,5 @@ The following how-tos apply to the `src` command line interface to Sourcegraph:
- [Creating an access token](/cli/how-tos/creating_an_access_token)
- [Revoking an access token](/cli/how-tos/revoking_an_access_token)
- [Managing access tokens](/cli/how-tos/managing_access_tokens)
- [How to fetch SBOMs for Sourcegraph](/cli/how-tos/fetch_sboms)

Loading