ci: generate sboms for provided packeges in a release

.github/workflows/ci.yml

@@ -20,6 +20,9 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+
+      - name: Install syft for sbom generation
+        uses: anchore/sbom-action/[email protected]
 
       - name: Build snapshot artifacts
         uses: goreleaser/goreleaser-action@v6

.github/workflows/e2e_checks.yml

@@ -44,6 +44,9 @@ jobs:
           "network_plugin": "kathara/katharanp_vde"
           }' > ~/.config/kathara.conf
 
+      - name: Install syft for sbom generation
+        uses: anchore/sbom-action/[email protected]
+
       - name: Build binary for e2e
         uses: goreleaser/goreleaser-action@v6
         with:

.github/workflows/release.yml

@@ -37,6 +37,9 @@ jobs:
           registry: mtr.devops.telekom.de
           username: ${{ secrets.MTR_USERNAME }}
           password: ${{ secrets.MTR_PASSWORD }}
+
+      - name: Install syft for sbom generation
+        uses: anchore/sbom-action/[email protected]
 
       - name: Build, push & release
         uses: goreleaser/goreleaser-action@v6

.goreleaser-ci.yaml

@@ -1,3 +1,4 @@
+version: 2
 project_name: sparrow
 snapshot:
   name_template: "commit-{{ .ShortCommit }}"
@@ -25,3 +26,5 @@ dockers:
       - --label=org.opencontainers.image.created={{ .Timestamp }}
       - --label=org.opencontainers.image.revision={{ .FullCommit }}
       - --label=org.opencontainers.image.licenses="Apache 2.0"
+sboms:
+  - artifacts: archive

.goreleaser.yaml

@@ -1,3 +1,4 @@
+version: 2
 project_name: sparrow
 builds:
   - env: [CGO_ENABLED=0]
@@ -39,3 +40,8 @@ nfpms:
       - deb
       - rpm
       - apk
+sboms:
+  - id: archive
+    artifacts: archive
+  - id: source
+    artifacts: source

scripts/sbom/README.md

@@ -0,0 +1,23 @@
+# Generate SBOM with Syft
+
+This doc can be used to generate a SBOM manually with [Syft](https://github.com/anchore/syft).
+
+## Usage
+
+Install the Syft binary.
+
+Use the following command to generate a simple SBOM file form the repository:
+
+```shell
+syft .
+```
+
+Alternative output variants can be found [here](https://github.com/anchore/syft/wiki/Output-Formats).
+
+Use the following command to generate a SBOM markdown file using the `example.sbom.tmpl` goTemplate template file:
+
+```shell
+SYFT_GOLANG_SEARCH_REMOTE_LICENSES=true syft ghcr.io/telekom/sparrow:v0.5.0 -o template -t scripts/sbom/example.sbom.tmpl
+```
+
+Setting the env variable `SYFT_GOLANG_SEARCH_REMOTE_LICENSES=true` will ensure to lookup licenses remotely. In this example the sparrow image in version `v0.5.0` is scanned.

scripts/sbom/example.sbom.tmpl

@@ -0,0 +1,5 @@
+| Package | Type | Version | Licenses |
+| ------- | ---- | ------- | -------- |
+{{- range .artifacts}}
+| {{.name}} | {{.type}} | {{.version}} | {{range $index, $licence := .licenses}}{{- if $index}}, {{end}}{{$licence.value}}{{end}} |
+{{- end}}