lifecycle-toolkit icon indicating copy to clipboard operation
lifecycle-toolkit copied to clipboard

Published 20 hours ago verified publisher icon keptn

build: use docker to generate and attest SBOMs

Open AryanBakliwal opened this issue 10 months ago • 1 comments

use docker to generate and attest SBOMs

Right now Keptn is using anchore/sbom-action to generate SBOMs for images which generates SBOMs post the build process. This PR adds docker/build-push-action to generate and attest the SBOM during the release pipeline.

Fixes #3309

How to test

  • [ ] Manual Test A
  • [ ] Unit Test B
  • [ ] Integration Test C

Checklist

  • [x] My PR fulfills the Definition of Done of the corresponding issue and not more (or parts if the issue is separated into multiple PRs)
  • [x] I used descriptive commit messages to help reviewers understand my thought process
  • [x] I signed off all my commits according to the Developer Certificate of Origin (DCO) see Contribution Guide
  • [x] My PR title is formatted according to the semantic PR conventions described in the Contribution Guide
  • [x] My code follows the style guidelines of this project (golangci-lint passes, YAMLLint passes)
  • [x] I have performed a self-review of my code
  • [x] My changes result in all-green PR checks (first-time contributors need to ask a maintainer to approve their test runs)
  • [x] New and existing unit and integration tests pass locally with my changes

AryanBakliwal avatar Apr 04 '24 10:04 AryanBakliwal

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud[bot] avatar Apr 24 '24 16:04 sonarqubecloud[bot]

I think we want to keep our current setup that attaches the sboms to the releases. I will close this PR

mowies avatar Aug 05 '24 09:08 mowies