search

redhat-buildpacks / testing

Project aiming to help us to perform e2e tests using Buildpacks
Apache License 2.0
0 stars 3 forks source link

[Suggestion] Been able to use different tools to grab the SBOM #44

Open cmoulliard opened 1 year ago

cmoulliard commented 1 year ago

Suggestion

That should be interesting that the existing RHTAP "sbow-task" and its image supports different tools able to grab the SBOM and generate the output and not only cosign as by example we can only use for Buildpack the grype tool

      - name: show-sbom
        # Goal: Export from the buildpack image the SBOM files using Grype tool
        # Definition: https://github.com/tektoncd/catalog/tree/main/task/grype/0.1
        when:
          - input: $(params.enable-sbom)
            operator: in
            values: ["true"]
        params:
          - name: GRYPE_IMAGE
            value: anchore/grype:v0.65.1
          - name: ARGS
            value:
              - $(tasks.build-container.results.IMAGE_URL)
              - -o $(params.grype-sbom-format)
brianwcook commented 1 year ago

I'm not sure what you are trying to do here, create sbom for fetch it?

cmoulliard commented 1 year ago

Buildpack generatse OOTB during the build the SBOM. I'lm using the grype task here to be able to get it from the OCI image built to stdout the content as table or json or another format