feat: add support for SBOM attestation (#217)

Signed-off-by: Paulo Gomes <[email protected]>

Author: pjbgf

_docs/data/data.yaml

@@ -260,3 +260,8 @@ properties:
     description: Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`).
     type: string
     required: false
+
+  - name: sbom
+    description: Generate [sbom](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest type=sbom`).
+    type: string
+    required: false

cmd/drone-docker-buildx/config.go

@@ -314,5 +314,12 @@ func settingsFlags(settings *plugin.Settings, category string) []cli.Flag {
 			Destination: &settings.Build.Provenance,
 			Category:    category,
 		},
+		&cli.StringFlag{
+			Name:        "sbom",
+			EnvVars:     []string{"PLUGIN_SBOM"},
+			Usage:       "generates sbom attestation for the build",
+			Destination: &settings.Build.SBOM,
+			Category:    category,
+		},
 	}
 }

plugin/docker.go

@@ -156,6 +156,10 @@ func commandBuild(build Build, dryrun bool) *execabs.Cmd {
 		args = append(args, "--provenance", build.Provenance)
 	}
 
+	if build.SBOM != "" {
+		args = append(args, "--sbom", build.SBOM)
+	}
+
 	return execabs.Command(dockerBin, args...)
 }
 

plugin/impl.go

@@ -64,6 +64,7 @@ type Build struct {
 	NamedContext cli.StringSlice // Docker build named context
 	Labels       cli.StringSlice // Docker build labels
 	Provenance   string          // Docker build provenance attestation
+	SBOM         string          // Docker build sbom attestation
 }
 
 // Settings for the Plugin.