@@ -45,7 +45,7 @@ docker-publish:
4545 fi ; \
4646 # This generates a signature and publishes it to the registry, next to the image\
4747 # Uses the keyless signing flow with Github Actions as identity provider\
48- cosign sign -y ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} : @$$ REPO_DIGEST_OF_IMAGE
48+ cosign sign -y " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} @$$ REPO_DIGEST_OF_IMAGE"
4949
5050 # Push to Harbor
5151 # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot)
@@ -59,7 +59,18 @@ docker-publish:
5959 fi;\
6060 # This generates a signature and publishes it to the registry, next to the image\
6161 # Uses the keyless signing flow with Github Actions as identity provider\
62- cosign sign -y ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:@$$REPO_DIGEST_OF_IMAGE
62+ cosign sign -y "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
63+ # Generate the SBOM for the operator image, this leverages the already generated SBOM for the operator binary by cargo-cyclonedx\
64+ syft scan --output cyclonedx-json=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger" --scope all-layers --source-name "${OPERATOR_NAME}" --source-version "${VERSION}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
65+ # Determine the PURL for the container image\
66+ PURL="pkg:docker/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE?repository_url=${OCI_REGISTRY_HOSTNAME}";\
67+ # Get metadata from the image\
68+ IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}");\
69+ IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}");\
70+ # Merge the SBOM with the metadata for the operator\
71+ jq -s '{"metadata":{"component":{"description":"'"$$IMAGE_NAME. $$IMAGE_DESCRIPTION"'","supplier":{"name":"Stackable GmbH","url":"https://stackable.tech/"},"author":"Stackable GmbH","purl":"'"$$PURL"'","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json;\
72+ # Attest the SBOM to the image\
73+ cosign attest -y --predicate sbom.merged.json --type cyclonedx "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE"
6374
6475# TODO remove if not used/needed
6576docker : docker-build docker-publish
@@ -85,7 +96,7 @@ helm-publish:
8596 docker login --username '${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password '${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}';\
8697 # This generates a signature and publishes it to the registry, next to the chart artifact\
8798 # Uses the keyless signing flow with Github Actions as identity provider\
88- cosign sign -y ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}/${HELM_CHART_NAME}: @$$REPO_DIGEST_OF_ARTIFACT
99+ cosign sign -y " ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}/${HELM_CHART_NAME}@$$REPO_DIGEST_OF_ARTIFACT"
89100
90101helm-package :
91102 mkdir -p target/helm && helm package --destination target/helm deploy/helm/${OPERATOR_NAME}
0 commit comments