diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 3836d2ef62b9ad2de619b79a329f5e2d07cdabfe..50ef7c14b404f5452364577da1ccc79548990522 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1329,22 +1329,25 @@ docker-sbom: /syft version - mkdir -p -m 777 reports - basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') - - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json - - chmod a+r reports/docker-sbom-${basename}.cyclonedx.json + - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json -o json=reports/docker-sbom-${basename}.native.json + - chmod a+r reports/docker-sbom-${basename}.cyclonedx.json reports/docker-sbom-${basename}.native.json - | if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]] then - log_info "Attaching attested SBOM to ${DOCKER_SNAPSHOT_IMAGE}..." + echo "{{.source.name}}@sha256:{{.source.id}}" > .img-digest.tmpl + /syft convert ${TRACE+-vv} reports/docker-sbom-${basename}.native.json -t .img-digest.tmpl -o template=.img-digest.txt + docker_image_digest=$(cat .img-digest.txt) + log_info "Attaching attested SBOM to ${docker_image_digest}..." install_cosign configure_cosign_private_key - $docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_ATTEST_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${DOCKER_SNAPSHOT_IMAGE} + $docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_ATTEST_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${docker_image_digest} fi artifacts: name: "SBOM for docker from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" expire_in: 1 week when: always paths: - - "reports/docker-sbom-*.cyclonedx.json" + - "reports/docker-sbom-*" reports: cyclonedx: - "reports/docker-sbom-*.cyclonedx.json"