Skip to content

chore: enable SBOM attestation for image builds #16852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 10, 2025
Merged

chore: enable SBOM attestation for image builds #16852

merged 3 commits into from
Mar 10, 2025

Conversation

matifali
Copy link
Member

@matifali matifali commented Mar 7, 2025
edited
Loading

Important

We also need to enable containerd on depot runners.
image

Testing

  • Tested locally with docker buildx build --sbom=true --output type=local,dest=out -f Dockerfile . to verify that an SBOM file is generated.
  • Tested in CI to ensure the image builds without any errors.

Also closes coder/internal#88

@matifali matifali changed the title chore: enable SBOM and Containerd Support in Docker Builds chore: enable SBOM and containerd support in Docker builds Mar 7, 2025
@matifali matifali force-pushed the atif/sbom branch 5 times, most recently from 4a7c230 to 76500be Compare March 7, 2025 22:43
@matifali matifali closed this Mar 7, 2025
@github-actions github-actions bot locked and limited conversation to collaborators Mar 7, 2025
@matifali
chore: enable SBOM and containerd support in Docker builds
f111de2 
Added SBOM (Software Bill of Materials) generation during Docker build to enhance traceability. Refer to Docker documentation on SBOM: docs.docker.com/build/metadata/attestations/sbom
Updated Docker build scripts to use BuildKit for provenance and SBOM support: docs.docker.com/build/metadata/attestations
Configured Docker daemon to support the Containerd snapshotter feature to improve performance: docs.docker.com/engine/storage/containerd
@matifali matifali reopened this Mar 7, 2025
@coder coder unlocked this conversation Mar 7, 2025
@matifali matifali changed the title chore: enable SBOM and containerd support in Docker builds [DNM] chore: enable SBOM and containerd support in Docker builds Mar 7, 2025
@matifali
chore: enable SBOM and containerd support in Docker builds
378fdf8 
Added SBOM (Software Bill of Materials) generation during Docker build to enhance traceability. Refer to Docker documentation on SBOM: docs.docker.com/build/metadata/attestations/sbom
Updated Docker build scripts to use BuildKit for provenance and SBOM support: docs.docker.com/build/metadata/attestations
Configured Docker daemon to support the Containerd snapshotter feature to improve performance: docs.docker.com/engine/storage/containerd
@coder coder deleted a comment from github-actions bot Mar 7, 2025
@matifali
chore: enable SBOM and containerd support in Docker builds
1dcf0da 
Added SBOM (Software Bill of Materials) generation during Docker build to enhance traceability. Refer to Docker documentation on SBOM: docs.docker.com/build/metadata/attestations/sbom
Updated Docker build scripts to use BuildKit for provenance and SBOM support: docs.docker.com/build/metadata/attestations
Configured Docker daemon to support the Containerd snapshotter feature to improve performance: docs.docker.com/engine/storage/containerd
@matifali matifali changed the title [DNM] chore: enable SBOM and containerd support in Docker builds chore: enable SBOM and containerd support in Docker builds Mar 8, 2025
@matifali matifali changed the title chore: enable SBOM and containerd support in Docker builds chore: enable SBOM attestation for image builds Mar 8, 2025
@matifali matifali marked this pull request as ready for review March 8, 2025 22:19
@matifali matifali requested a review from ThomasK33 March 10, 2025 09:45
ThomasK33
ThomasK33 approved these changes Mar 10, 2025
View reviewed changes
Copy link
Member

@ThomasK33 ThomasK33 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Doesn't have to be part of this PR, but we might want to add build provenance to our release pipeline.

@matifali matifali requested a review from johnstcn March 10, 2025 10:12
johnstcn
johnstcn reviewed Mar 10, 2025
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We previously ran into issues with this:

AFAIR it occurred after enabling the containerd store in depot.dev.

If images are being pushed correctly after re-enabling the containerd store then this looks OK to me.

@matifali
Copy link
Member Author

If images are being pushed correctly after re-enabling the containerd store, then this looks OK to me.

I have not tested pushing to a registry yet. But only locally. containrd is a requirement for SBOM attestation.

I will try to test by pushing to a registry before merging.

@matifali matifali merged commit 05ebece into main Mar 10, 2025
46 checks passed
@matifali matifali deleted the atif/sbom branch March 10, 2025 19:24
@github-actions github-actions bot locked and limited conversation to collaborators Mar 10, 2025
@matifali matifali restored the atif/sbom branch March 10, 2025 19:39
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johnstcn johnstcn johnstcn left review comments

@ThomasK33 ThomasK33 ThomasK33 approved these changes

Assignees

@matifali matifali

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Provenance attestations for images
3 participants
@matifali @ThomasK33 @johnstcn