### Problem to solve Background: https://gitlab.com/groups/gitlab-org/-/epics/8206+ introduces CI jobs that generate SBOMs consumed by Dependency Scanning. Allow users to choose the Docker image of the jobs that generates SBOMs, so that they can provide an environment that meets the requirement of their projects, and where project dependencies can be listed. ### Intended users ### User experience goal Users edit the CI config of their projects and override the `image:name` parameter of SBOM generator jobs provided by the CI template. See https://gitlab.com/groups/gitlab-org/-/epics/8206 ### Proposal - Release the SBOM generator(s) as distro package(s). - Change the job definitions to fetch and install these packages when the corresponding CLI isn't found. ### Further details See https://gitlab.com/groups/gitlab-org/-/epics/3923#note_1007703434 ### Implementation plan Draft: - Change the CI config of the SBOM generator(s) to build and release distro package(s). - Push these packages to the Package Registry of the SBOM generator project. - Also, push these packages to the Package Registry of the `security-products` project group, using tokens. - Change the CI template to fetch and install the distro package when the SBOM generator CLI is missing. - Add integration tests to check that the `image:name` of the SBOM generator jobs can be overridden. - Document how the `image:name` can be changed, and list the supported images. ### Permissions and Security The distro packages are published to a secure location where developers can't write: https://gitlab.com/groups/gitlab-org/security-products/-/packages. The CI template references these packages, and not the one published in the Package Registry of the source project. This is similar to how the Docker images of the analyzers are pushed to a secure location where developers can't write: https://gitlab.com/groups/gitlab-org/security-products/-/container_registries ### Documentation TBD after doing https://gitlab.com/groups/gitlab-org/-/epics/8206 The documentation should list the Docker images that are officially supported (images covered by the integration tests). ### Availability & Testing Add integration tests where `image:name` is changed to specific public images. Also, add integration tests for offline environments where this is supported. Finally, replicate these integration tests for runners where FIPS is enforced. ### What does success look like, and how can we measure that? Users can override the `image:name` of the SBOM generator, and use a Docker image that provides the dependencies needed to list project dependencies. ### What is the type of buyer? ~"GitLab Ultimate" ### Is this a cross-stage feature? No ### Links / references See https://gitlab.com/groups/gitlab-org/-/epics/3923 cc @brytannia @sam.white @adamcohen