From 390f1f23505a9dd12f99000d8434485c0b748467 Mon Sep 17 00:00:00 2001 From: Clement Bois Date: Sun, 31 Aug 2025 19:50:02 +0200 Subject: [PATCH 1/2] fix(sbom): attest digest instead of tag for multi-platform manifest, it puts the attestation on the actual (amd64) image instead of its manifest --- templates/gitlab-ci-docker.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 3836d2e..7b74f71 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1328,16 +1328,18 @@ docker-sbom: log_info "Syft version:" /syft version - mkdir -p -m 777 reports + - echo "{{.source.name}}@sha256:{{.source.id}}" > .img-digest.tmpl - basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') - - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json + - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json -t .img-digest.tmpl -o template=.img-digest.txt - chmod a+r reports/docker-sbom-${basename}.cyclonedx.json - | if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]] then - log_info "Attaching attested SBOM to ${DOCKER_SNAPSHOT_IMAGE}..." + docker_image_digest=$(cat .img-digest.txt) + log_info "Attaching attested SBOM to ${docker_image_digest}..." install_cosign configure_cosign_private_key - $docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_ATTEST_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${DOCKER_SNAPSHOT_IMAGE} + $docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_ATTEST_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${docker_image_digest} fi artifacts: name: "SBOM for docker from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" -- GitLab From a46225baa19f79f0f44f7b025137eae0d81140ae Mon Sep 17 00:00:00 2001 From: Clement Bois Date: Sun, 31 Aug 2025 21:00:14 +0200 Subject: [PATCH 2/2] fix(sbom): report native json and convert for digest --- templates/gitlab-ci-docker.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 7b74f71..50ef7c1 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1328,13 +1328,14 @@ docker-sbom: log_info "Syft version:" /syft version - mkdir -p -m 777 reports - - echo "{{.source.name}}@sha256:{{.source.id}}" > .img-digest.tmpl - basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') - - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json -t .img-digest.tmpl -o template=.img-digest.txt - - chmod a+r reports/docker-sbom-${basename}.cyclonedx.json + - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json -o json=reports/docker-sbom-${basename}.native.json + - chmod a+r reports/docker-sbom-${basename}.cyclonedx.json reports/docker-sbom-${basename}.native.json - | if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]] then + echo "{{.source.name}}@sha256:{{.source.id}}" > .img-digest.tmpl + /syft convert ${TRACE+-vv} reports/docker-sbom-${basename}.native.json -t .img-digest.tmpl -o template=.img-digest.txt docker_image_digest=$(cat .img-digest.txt) log_info "Attaching attested SBOM to ${docker_image_digest}..." install_cosign @@ -1346,7 +1347,7 @@ docker-sbom: expire_in: 1 week when: always paths: - - "reports/docker-sbom-*.cyclonedx.json" + - "reports/docker-sbom-*" reports: cyclonedx: - "reports/docker-sbom-*.cyclonedx.json" -- GitLab