Handle sbom deltas

Author: lucaronca

.github/actions/sbom-delta/action.yml

@@ -0,0 +1,42 @@
+name: Generate SBOM Delta
+description: Install Syft, generate delta SBOM for a container, and upload the artifact.
+
+inputs:
+  container:
+    description: Container name to scan
+    required: true
+  version:
+    description: Image tag or version
+    required: true
+  registry:
+    description: Registry prefix (e.g. ghcr.io/org/)
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Install syft
+      shell: bash
+      run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+    - name: Install task
+      shell: bash
+      run: which task || curl -sSfL https://taskfile.dev/install.sh | sh -s -- -b /usr/local/bin
+
+    - name: Generate delta SBOM
+      shell: bash
+      env:
+        CONTAINER: ${{ inputs.container }}
+        VERSION: ${{ inputs.version }}
+        REGISTRY: ${{ inputs.registry }}
+      run: |
+        task -t Taskfile.dist.yml sbom:delta -- \
+          --version "$VERSION" \
+          --registry "$REGISTRY" \
+          "$CONTAINER"
+
+    - name: Upload delta SBOM artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: sbom-delta-${{ inputs.container }}
+        path: ./containers/${{ inputs.container }}/sbom-delta/

.github/workflows/docker-build.yml

@@ -210,6 +210,13 @@ jobs:
             REGISTRY=${{ env.DEV_REGISTRY_PATH }}
             BASE_IMAGE_VERSION=${{ needs.setup.outputs.image_tag }}
 
+      - name: SBOM Delta
+        uses: ./.github/actions/sbom-delta
+        with:
+          container: ${{ matrix.container }}
+          version: ${{ needs.setup.outputs.image_tag }}
+          registry: ${{ env.DEV_REGISTRY_PATH }}
+
   build-downstream:
     needs: [ setup, build ]
     if: needs.setup.outputs.downstream_containers != '[]'
@@ -302,3 +309,10 @@ jobs:
           build-args: |
             REGISTRY=${{ env.DEV_REGISTRY_PATH }}
             BASE_IMAGE_VERSION=${{ needs.setup.outputs.image_tag }}
+
+      - name: SBOM Delta
+        uses: ./.github/actions/sbom-delta
+        with:
+          container: ${{ matrix.container }}
+          version: ${{ needs.setup.outputs.image_tag }}
+          registry: ${{ env.DEV_REGISTRY_PATH }}

.github/workflows/docker-publish.yml

@@ -261,6 +261,13 @@ jobs:
           provenance: false
           build-args: ${{ steps.config.outputs.build_args }}
 
+      - name: SBOM Delta
+        uses: ./.github/actions/sbom-delta
+        with:
+          container: ${{ matrix.container }}
+          version: ${{ needs.detect.outputs.version }}
+          registry: ${{ env.GHCR_DESTINATION_ORG }}
+
       - name: Update compose file references
         if: steps.config.outputs.update_compose == 'true'
         env:
@@ -364,6 +371,13 @@ jobs:
             BASE_IMAGE_VERSION=${{ needs.detect.outputs.version }}
             REGISTRY=${{ env.GHCR_DESTINATION_ORG }}/
 
+      - name: SBOM Delta
+        uses: ./.github/actions/sbom-delta
+        with:
+          container: ${{ matrix.container }}
+          version: ${{ needs.detect.outputs.version }}
+          registry: ${{ env.GHCR_DESTINATION_ORG }}
+
       - name: Update compose file references
         if: steps.config.outputs.update_compose == 'true'
         env:

Taskfile.dist.yml

@@ -76,7 +76,7 @@ tasks:
     desc: Format code
     cmds:
       - ruff format
-  
+
   build-dev:
     desc: Build a development package
     cmds:
@@ -253,3 +253,8 @@ tasks:
           IMAGE: 'public.ecr.aws/arduino/app-bricks/ei-models-runner'
           TAG: '{{.EI_TAG}}'
           DIR: './containers/ei-models-runner'
+
+  sbom:delta:
+    desc: Generate delta SBOMs for containers (requires syft and registry access)
+    cmds:
+      - python3 ./scripts/sbom_delta.py {{.CLI_ARGS}}

containers/aihub-models-runner/ci.json

@@ -5,5 +5,8 @@
   "build_whl": false,
   "update_compose": false,
   "build_args": {},
+  "sbom": {
+    "runtime_base": "ubuntu:24.04"
+  },
   "downstream": ["gesture-recognition-runner"]
 }

containers/ei-models-runner/ci.json

@@ -4,5 +4,8 @@
   "tag_latest": false,
   "build_whl": false,
   "update_compose": true,
-  "build_args": {}
+  "build_args": {},
+  "sbom": {
+    "runtime_base": "public.ecr.aws/g7a8t7v6/inference-container:v1.92.3"
+  }
 }

containers/ei-qnn-models-runner/ci.json

@@ -4,5 +4,8 @@
   "tag_latest": false,
   "build_whl": false,
   "update_compose": true,
-  "build_args": {}
+  "build_args": {},
+  "sbom": {
+    "runtime_base": "public.ecr.aws/z9b3d4t5/inference-container-qnn:v1.92.19-test-f19ce2e7"
+  }
 }

containers/gesture-recognition-runner/ci.json

@@ -5,5 +5,8 @@
   "build_whl": false,
   "update_compose": true,
   "build_args": {},
+  "sbom": {
+    "runtime_base": "${REGISTRY}app-bricks/aihub-models-runner:${BASE_IMAGE_VERSION}"
+  },
   "downstream": []
 }

containers/python-apps-base/ci.json

@@ -9,5 +9,8 @@
   "tag_latest": false,
   "build_whl": true,
   "update_compose": false,
-  "build_args": { }
+  "build_args": { },
+  "sbom": {
+    "runtime_base": "${REGISTRY}app-bricks/python-base:${BASE_IMAGE_VERSION}"
+  }
 }

containers/python-base/Dockerfile

@@ -22,7 +22,8 @@ RUN set -ex; \
     echo "https://github.com/${OPENCV_REPO_OWNER}/app-bricks-py/releases/download/opencv/${OPENCV_VERSION}/opencv_python_headless-${OPENCV_VERSION}-${PYTHON_VERSION}-${PYTHON_VERSION}-linux_aarch64.whl" >> /app/requirements.txt; \
     # Install Python dependencies
     pip install --no-cache-dir uv; \
-    uv pip install --system --no-cache-dir -r /app/requirements.txt && rm /app/requirements.txt; \
+    uv pip install --system --no-cache-dir -r /app/requirements.txt; \
+    rm /app/requirements.txt; \
     # Strip debug symbols, tests and remove unneeded packages to reduce size
     find /usr/local/lib/python3.13/site-packages -type f -name "*.so" -exec strip -s {} +; \
     find /usr/local/lib/python3.13/site-packages -type f -name "*.so.*" -exec strip -s {} +; \
@@ -74,12 +75,13 @@ RUN set -ex; \
     rm -rf /var/lib/apt/lists/*; \
     rm -fr /var/cache/apt/archives/*.deb \
         /var/cache/apt/archives/partial/*.deb \
-        /usr/share/doc/* \
         /usr/share/man/* \
         /usr/share/locale/* \
         /var/cache/debconf/* \
-        /var/lib/dpkg/info/* \      
+        /var/lib/dpkg/info/* \
         /var/cache/apt/*.bin; \
+    find /usr/share/doc -type f ! -name 'copyright' -delete; \
+    find /usr/share/doc -type d -empty -delete; \
     # precompile python files to .pyc to speed up startup time
     python -m compileall /usr/local/bin; \
     python -m compileall /usr/local/lib