Generate SBOM

[achrefbensaad]

We would like to generate SBOM (Software Bill Of Materials) for KubeArmor for each release.

We can use syft github action for that purpose link

• [ ] update CI to generate SBOM for each release and add it as an asset in the release manifest.

[slayer321]

Hey @achrefbensaad , I did like to work on this issue. can you assign it to me As you mentioned that we need to update the CI .. but after seeing the current CI setup for the project I think we will need a different file for SBOM(ci-release-sbom.yaml) .. something like below

name: SBOM

on:
  release:
    types: [published]

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          ref: ${{ github.ref_name }}
      - name: Anchore SBOM Action
        uses: anchore/sbom-action@v0.12.0
        with:
          format: cyclonedx-json

can you confirm if this is a correct way of doing it?

[achrefbensaad]

Hi @slayer321 , Can you please try the CI on your GH fork ?

[slayer321]

@achrefbensaad , I checked it on my fork and it works .. you can check it here https://github.com/slayer321/KubeArmor/releases/tag/v0.2

branch with CI changes https://github.com/slayer321/KubeArmor/tree/slayer321/add-SBOM

[kranurag7]

Hey @achrefbensaad and @slayer321 In the last meeting we decided that we will use bom for generating SBOMs.

• Seperate SBOM for filesystem works, where we scan our go dependencies in different directories and this can be published during the release.
• For image, I think generating SBOM after the new image is build in latest-release and stable-release will be appropriate. This can be a separate workflow, given the workflow runs only after the latest-release and stable-release workflows are complete and successful.
• For image, adding bom generate -i kubearmor/kubearmor:latest --format json as an extra step in the same workflow would be good. Similar for init image.

• The step in the workflow should capture this.

• [ ] Generate SBOM using bom
• [ ] Attach the SBOM to the image using cosign attach sbom command
• [ ] Sign the SBOM using cosign sign

cc @daemon1024

[daemon1024]

We should just in case compare the SBOMs generated by both Syft and BOM and see if there are any differences that should be considered for the choice of tooling. In general BOM would be preferred due to being used by k8s as well. But still....

[achrefbensaad]

Hi @slayer321, Can you please compare the result of the the two tools, so we can select the one that suits us the best.

[Ankurk99]

Hey @slayer321, are you working on this issue?

[slayer321]

Hey @Ankurk99 , No..I was busy with some other stuff and was not able to work on this issue. But now I can start looking into this issue.