Add jobs to generate image SBOM
What does this MR do?
- Add
image sbom
job that generates a SBOM for the default image, using Trivy. - Add
image sbom fips
that generates a SBOM for the-fips
image whenDockerfile.fips
exists. - Skip these jobs unless
GENERATE_IMAGE_SBOM
is set (opt-in).
What are the relevant issue numbers?
This was needed to do gitlab-org&7857 (closed).
- sbom + cryptographic audit of gemnasium (gitlab-org/gitlab#357918 - closed)
- sbom + cryptographic audit of gemnasium-maven (gitlab-org/gitlab#357919 - closed)
- sbom + cryptographic audit of gemnasium-python (gitlab-org/gitlab#357920 - closed)
Also, this can be considered as a PoC for Create CycloneDX report for container scanning (gitlab-org/gitlab#354446 - closed).
Testing
-
pipeline where
GENERATE_IMAGE_SBOM
isn't set,-
There's no image sbom
job. -
There's no image sbom fips
job.
-
-
pipeline where
GENERATE_IMAGE_SBOM
is set, and a repo withDockerfile.fips
,-
image sbom
job generates the SBOM for the default image, and it's namedcyclonedx-image.json
. -
image sbom fips
job with expected SBOM for the FIPS image, and it's namedcyclonedx-image-fips.json
.
-
Edited by Fabien Catteau