Skip to content

Commit 5941366

Browse files
warengonzagawarengonzaga
committed
✨ tweak: update sbom generation
1 parent fc79c45 commit 5941366

File tree

2 files changed

+32
-35
lines changed

2 files changed

+32
-35
lines changed

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,9 @@ ai_docs/
6969
# SBOM (Software Bill of Materials) generated files
7070
sbom/
7171

72+
# Local tool binaries (syft, etc.)
73+
bin/
74+
7275
# Temporary files
7376
*.tmp
7477
*.temp

scripts/generate-sbom.sh

Lines changed: 29 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -44,56 +44,50 @@ echo -e "${BLUE}🔍 Generating SBOM locally for ${IMAGE_NAME}${NC}"
4444
# Create output directory
4545
mkdir -p "${OUTPUT_DIR}"
4646

47-
# Force use of local Docker builder (not cloud builder)
48-
echo -e "${BLUE}🔧 Ensuring local Docker builder is used...${NC}"
49-
docker buildx use default 2>/dev/null || docker buildx create --use --name local-builder --driver docker
47+
# Ensure we're using local Docker context and builder
48+
echo -e "${BLUE}🔧 Ensuring local Docker setup...${NC}"
49+
docker context use default 2>/dev/null || true
50+
docker buildx use default 2>/dev/null || true
5051

5152
# Check if image exists locally
5253
if ! docker image inspect "${IMAGE_NAME}" >/dev/null 2>&1; then
5354
echo -e "${RED}❌ Image ${IMAGE_NAME} not found locally${NC}"
54-
echo -e "${YELLOW}💡 Building image with SBOM generation using LOCAL builder only...${NC}"
55+
echo -e "${YELLOW}💡 Building image locally (SBOM will be generated with syft)...${NC}"
5556

56-
# Build image with SBOM generation using LOCAL builder only
57-
docker buildx build \
58-
--builder local-builder \
59-
--sbom=true \
60-
--provenance=mode=max \
61-
--tag "${IMAGE_NAME}" \
62-
--metadata-file "${OUTPUT_DIR}/build_metadata_${TIMESTAMP}.json" \
63-
--load \
64-
.
57+
# Simple local build without buildx complications
58+
docker build -t "${IMAGE_NAME}" .
6559
else
6660
echo -e "${GREEN}✅ Image ${IMAGE_NAME} found locally${NC}"
6761
fi
6862

69-
# Try to extract SBOM from existing image
70-
echo -e "${YELLOW}📋 Attempting to extract SBOM from image...${NC}"
71-
if docker buildx imagetools inspect "${IMAGE_NAME}" --format "{{ json .SBOM.SPDX }}" > "${OUTPUT_DIR}/sbom_${TIMESTAMP}.spdx.json" 2>/dev/null; then
72-
echo -e "${GREEN}✅ SBOM extracted successfully${NC}"
63+
# Generate SBOM using syft (most reliable method for local development)
64+
echo -e "${YELLOW}📋 Generating SBOM with syft...${NC}"
65+
if command -v syft >/dev/null 2>&1; then
66+
syft "${IMAGE_NAME}" -o spdx-json > "${OUTPUT_DIR}/sbom_${TIMESTAMP}.spdx.json"
67+
echo -e "${GREEN}✅ SBOM generated with syft${NC}"
7368
else
74-
echo -e "${YELLOW}⚠️ No embedded SBOM found. Generating with syft...${NC}"
69+
echo -e "${YELLOW}📦 Installing syft locally for SBOM generation...${NC}"
7570

76-
# Use syft as fallback to generate SBOM
77-
if command -v syft >/dev/null 2>&1; then
78-
syft "${IMAGE_NAME}" -o spdx-json > "${OUTPUT_DIR}/sbom_${TIMESTAMP}.spdx.json"
79-
echo -e "${GREEN}✅ SBOM generated with syft${NC}"
71+
# Create local bin directory for syft
72+
mkdir -p ./bin
73+
74+
# Download and install syft to local directory (Windows-compatible)
75+
if [[ "$OSTYPE" == "msys" || "$OSTYPE" == "win32" || "$OSTYPE" == "cygwin" ]]; then
76+
# Windows
77+
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ./bin
8078
else
81-
echo -e "${YELLOW}📦 Installing syft for SBOM generation...${NC}"
82-
# Install syft using the official installer
83-
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
84-
syft "${IMAGE_NAME}" -o spdx-json > "${OUTPUT_DIR}/sbom_${TIMESTAMP}.spdx.json"
85-
echo -e "${GREEN}✅ SBOM generated with syft${NC}"
79+
# Linux/Mac
80+
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ./bin
8681
fi
82+
83+
# Use local syft binary
84+
./bin/syft "${IMAGE_NAME}" -o spdx-json > "${OUTPUT_DIR}/sbom_${TIMESTAMP}.spdx.json"
85+
echo -e "${GREEN}✅ SBOM generated with local syft installation${NC}"
8786
fi
8887

89-
# Try to extract provenance (optional, won't fail if not available)
90-
echo -e "${YELLOW}📋 Attempting to extract provenance attestations...${NC}"
91-
if docker buildx imagetools inspect "${IMAGE_NAME}" --format "{{ json .Provenance }}" > "${OUTPUT_DIR}/provenance_${TIMESTAMP}.json" 2>/dev/null; then
92-
echo -e "${GREEN}✅ Provenance attestations extracted${NC}"
93-
else
94-
echo -e "${YELLOW}⚠️ No provenance attestations found (this is normal for locally built images)${NC}"
95-
echo "null" > "${OUTPUT_DIR}/provenance_${TIMESTAMP}.json"
96-
fi
88+
# Skip provenance extraction to avoid buildx complications for local development
89+
echo -e "${YELLOW}ℹ️ Skipping provenance extraction (not needed for local development)${NC}"
90+
echo "null" > "${OUTPUT_DIR}/provenance_${TIMESTAMP}.json"
9791

9892
# Generate human-readable summary
9993
echo -e "${YELLOW}📄 Creating human-readable SBOM summary...${NC}"

0 commit comments

Comments
 (0)