Automate SBOM generation for container images#805
Automate SBOM generation for container images#805jayavenkatesh19 wants to merge 9 commits intorapidsai:mainfrom
Conversation
Signed-off-by: Jaya Venkatesh <[email protected]>
Signed-off-by: Jaya Venkatesh <[email protected]>
Signed-off-by: Jaya Venkatesh <[email protected]>
jayavenkatesh19
added
feature request
Signed-off-by: Jaya Venkatesh <[email protected]>
Signed-off-by: Jaya Venkatesh <[email protected]>
Signed-off-by: Jaya Venkatesh <[email protected]>
jameslamb
left a comment
jameslamb
left a comment
There was a problem hiding this comment.
Thanks for getting this started! Doing it in a multi-stage build is a really cool idea, nice way to make it work with the third-party actions we use to build and publish images (no need to manually invoke docker build ourselves).
I see it's been a few weeks since the last activity here... do you need help with anything? Or is this effort just paused right now?
Signed-off-by: Jaya Venkatesh <[email protected]>
Signed-off-by: Jaya Venkatesh <[email protected]>
|
Hey @jameslamb! This effort has been on pause as I was focusing on creating the notebook for my talk for PyData Boston. I also have PRs open on ci-imgs and devcontainers up for a while. It'd be great if you could glance over them and leave your review for these! I've also looked at the SBOMs generated and there's a lot of fields pertaining to individual files in the Docker images. I am not sure if we need to include every file in the image or if a list of libraries included with the image would do. The current |
|
Ok thanks for the update, sorry for the very long delayed response! Doing this in a multi-stage docker build is a nice approach, I support it.
The more we can include and confidently attribute to a source + a set of licenses, the better. Will just have to see how scanning tools handle the SBOMs we're generating. |
jameslamb
left a comment
jameslamb
left a comment
There was a problem hiding this comment.
Left a few suggestions, things I noticed after reviewing similar changes in rapidsai/ci-imgs#309
|
|
||
| RUN --mount=type=bind,from=notebooks-build,source=/,target=/rootfs,ro \ | ||
| mkdir -p /out && \ | ||
| syft scan \ |
There was a problem hiding this comment.
Similar to rapidsai/ci-imgs#309 (comment), I think this should be moved to a mounted-in script so we only have to set the syft configuration in 1 place.
| ARG LINUX_VER=${LINUX_DISTRO}${LINUX_DISTRO_VER} | ||
|
|
||
| ARG RAPIDS_VER=26.02 | ||
| ARG SYFT_VER=1.32.0 |
There was a problem hiding this comment.
Similar to rapidsai/ci-imgs#309 (comment), could you please move the syft version and Alpine tag into versions.yaml?
To be fair, there wasn't a versions.yaml when you started this PR, it was only very recently added: #834
2 participants
Towards https://github.com/rapidsai/build-infra/issues/280
Adds SBOM to
baseandnotebookimagessyft-basewith the Syft binary installed on a minimal alpine 3.20 image.base-buildandnotebooks-buildto differentiate it from the final image.base-sbom/notebooks-sbomwhere the built stage is mounted to a specified location on thesyft-basestagesyft-scanis done on the mounted location, and an SBOM is generated.