## Summary As an improvement to all containerized outputs, we look to ensure SBOM availability for all containers produced through Build tooling. This aligns to improvements in operational verification, and security improvements. ## Details Internal and external drivers are asking for SBOM on our containers, as large item. We can do this in a myriad of ways, but there are existing tools we can leverage immediately in order to accelerate the availability of these materials, not locking us into any route. [anchore/syft](https://github.com/anchore/syft?tab=readme-ov-file#syft) provides a method which can meet a significant portion of the needs, and meets the conditions for our usage. - Compiled Go binary - License: Apache 2.0 - Can be automated - Artifacts output in multiple formats (CycloneDX, SPDX) - Can scan [containers, archives, directories, files](https://github.com/anchore/syft/wiki/supported-sources) - _without_ mandatory availability of a container runtime. - A breadth of [supported ecosystems](https://github.com/anchore/syft?tab=readme-ov-file#supported-ecosystems) - Range of depth, covering "visible" and "deep" (see `--scope all-layers`) The output material could be further valuable, as this material can be signed with `cosign`, and then attached to the container manifests via `oras`. Exampled via RedHat [here](https://www.redhat.com/en/blog/announcing-open-container-initiativereferrers-api-quayio-step-towards-enhanced-security-and-compliance). ## Actionable - [x] Spike to investigate value of Syft - [x] Research to derive best implementation method, and timing - [x] Create CI component - [x] Implement into pipelines # DRI @psingh29 # Participants <!--STATUS NOTE SECTION: This section will be managed and updated automatically by this project: https://gitlab.com/gitlab-com/gl-infra/epic-issue-summaries--> <!-- STATUS NOTE START --> ## Status 2025-11-05 <!-- Create a high level summary (optional) --> :tada: **achievements**: - We have approved the merge of [MR](https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2658). We can close this epic now. :issue-blocked: **blockers**: - :arrow_forward: **next**: - _Copied from https://gitlab.com/groups/gitlab-org/distribution/-/epics/93#note_2867820417_ <!-- STATUS NOTE END -->