chore: enable SBOM attestations for docker images (#16894)

- Enable SBOM and provenance attestations in Docker builds - Installs `cosign` and `syft` in dogfood image - Adds [github attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) Signed-off-by: Thomas Kosiewski <tk@coder.com> --------- Signed-off-by: Thomas Kosiewski <tk@coder.com> Co-authored-by: Thomas Kosiewski <tk@coder.com>
2025-07-12 00:14:10 +00:00 · 2025-03-13 21:45:11 +05:00
parent 30179aeaac
commit 4987de654e
5 changed files with 339 additions and 3 deletions
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@ -153,4 +153,17 @@ if [[ "$push" == 1 ]]; then
 	docker push "$image_tag" 1>&2
 fi

+log "--- Generating SBOM for Docker image ($image_tag)"
+syft "$image_tag" -o spdx-json >"${image_tag}.spdx.json"
+
+if [[ "$push" == 1 ]]; then
+	log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
+	COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"
+
+	COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
+		--predicate "${image_tag}.spdx.json" \
+		--yes \
+		"$image_tag"
+fi
+
 echo "$image_tag"