Generate SBOM when using Trivy
Why is this change being made?
Generate SBOM in Container Scanning using Trivy. Add a new Gcs::Plugin::SBOMScan
class which will use trivy to generate SBOMs from within Container Scanning.
Steps to test
-
Create a container scanning project or clone this test project.
-
In
gitlab.ci.yml
setCS_ANALYZER_IMAGE
to the latest generated image from the ci job i.eregistry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning/tmp/trivy: ffd7917643be263f5ab19933db4ad909ccc43495
-
Set the
artifacts
undercontainer_scanning
ingitlab.ci.yml
artifacts: reports: container_scanning: gl-container-scanning-report.json dependency_scanning: gl-dependency-scanning-report.json cyclonedx: gl-sbom-report.cdx.json paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json, gl-sbom-report.cdx.json]
-
Run the container-scanning job.
-
In the artifacts of the job you can find the
gl-sbom-report.cdx.json
.
Also, in local running integration tests generates the file.
Example/Demo:
https://gitlab.com/atiwari71/container-scanning-test/-/jobs/3964842152/artifacts/browse
Demo Video
Screen_Recording_2023-03-21_at_12.05.08_PM