chore: enable SBOM and containerd support in Docker builds

matifali · matifali · commit f111de2bd3e6 · 2025-03-07T22:48:48.000Z
Added SBOM (Software Bill of Materials) generation during Docker build to enhance traceability. Refer to Docker documentation on SBOM: docs.docker.com/build/metadata/attestations/sbom
Updated Docker build scripts to use BuildKit for provenance and SBOM support: docs.docker.com/build/metadata/attestations
Configured Docker daemon to support the Containerd snapshotter feature to improve performance: docs.docker.com/engine/storage/containerd
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -361,6 +361,7 @@ jobs:
           file: scripts/Dockerfile.base
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           provenance: true
+          sbom: true
           pull: true
           no-cache: true
           push: true
diff --git a/dogfood/contents/files/etc/docker/daemon.json b/dogfood/contents/files/etc/docker/daemon.json
@@ -1,3 +1,6 @@
 {
-	"registry-mirrors": ["https://mirror.gcr.io"]
+	"registry-mirrors": ["https://mirror.gcr.io"],
+	"features": {
+		"containerd-snapshotter': true
+	}
 }
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
@@ -136,10 +136,12 @@ fi
 
 log "--- Building Docker image for $arch ($image_tag)"
 
-docker build \
+docker buildx build \
 	--platform "$arch" \
 	--build-arg "BASE_IMAGE=$base_image" \
 	--build-arg "CODER_VERSION=$version" \
+	--provenence true \
+	--sbom true \
 	--no-cache \
 	--tag "$image_tag" \
 	-f Dockerfile \

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,6 @@`
`1`	`1`	`{`
`2`		`- "registry-mirrors": ["https://mirror.gcr.io"]`
	`2`	`+ "registry-mirrors": ["https://mirror.gcr.io"],`
	`3`	`+ "features": {`
	`4`	`+ "containerd-snapshotter': true`
	`5`	`+ }`
`3`	`6`	`}`