open-horizon / devops

Devops processes to build and deploy horizon components
Apache License 2.0
10 stars 42 forks source link

Generate SBOM information for all Open Horizon components at each release. #117

Open TheMosquito opened 2 years ago

TheMosquito commented 2 years ago

Following from US gov't "EO 14028" (Google that string for more info) all US gov't software procurement will require SBOM information. Other industries will likely follow. It should bee pretty straightforward to generate this SBOM information during release builds using tools like Syft (https://github.com/anchore/syft).

joewxboy commented 2 years ago

@bencourliss and @dabooz is this large enough to be treated as a Feature, or should it be kept as an issue?

joewxboy commented 2 years ago

@bencourliss Does this have any dependencies on migrating any automation, or can/should it be done with existing automation?