Store container scanning SBoMs as reports
What does this MR do and why?
Add the cyclonedx report artifact:
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
dependency_scanning: gl-dependency-scanning-report.json
cyclonedx: "**/gl-sbom-*.cdx.json"
paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json, "**/gl-sbom-*.cdx.json"]
Describe in detail what your merge request does and why.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
- Check out this MR in GDK.
- Clone this test project in your local gdk.
- Set the variable as follows in the project
gitlab-ci.yml
.
CS_ANALYZER_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning/tmp/trivy:55a702958694e3404c036915ba1ee93aea1e9133
CI_REGISTRY_IMAGE: registry.gitlab.com/atiwari71/container-scanning-test
This will fetch the container-scanning build with SBOM
report feature from this MR.
- Run the pipeline and go to the job artifacts, the report will look like as follows:
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #398644 (closed)
Edited by Aditya Tiwari