Skip to content

Generate SBOM when using Trivy

Aditya Tiwari requested to merge 396381-sbom-scanning into master

Why is this change being made?

Generate SBOM in Container Scanning using Trivy. Add a new Gcs::Plugin::SBOMScan class which will use trivy to generate SBOMs from within Container Scanning.

Steps to test

  1. Create a container scanning project or clone this test project.

  2. In gitlab.ci.yml set CS_ANALYZER_IMAGE to the latest generated image from the ci job i.e registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning/tmp/trivy: ffd7917643be263f5ab19933db4ad909ccc43495

  3. Set the artifacts under container_scanning in gitlab.ci.yml

    artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
      dependency_scanning: gl-dependency-scanning-report.json
      cyclonedx: gl-sbom-report.cdx.json
    paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json, gl-sbom-report.cdx.json]

  4. Run the container-scanning job.

  5. In the artifacts of the job you can find the gl-sbom-report.cdx.json.

Also, in local running integration tests generates the file.

Example/Demo:

https://gitlab.com/atiwari71/container-scanning-test/-/jobs/3964842152/artifacts/browse

Demo Video

Screen_Recording_2023-03-21_at_12.05.08_PM

Issue

gitlab-org/gitlab#396381 (closed)

Edited by Adam Cohen

Merge request reports