Skip to content

Automate SBOM generation for container images #805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jayavenkatesh19 wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Automate SBOM generation for container images #805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
efbf8c6
added SBOM generation
jayavenkatesh19 Oct 24, 2025
2bed04b
added source for syft scan
jayavenkatesh19 Oct 28, 2025
537db9f
added comments
jayavenkatesh19 Oct 28, 2025
0309c43
Merge branch 'rapidsai:main' into sbom-generation
jayavenkatesh19 Oct 28, 2025
dc7fa65
added ignore for halolint
jayavenkatesh19 Oct 28, 2025
3ee4ccb
updated bash to sh to match alpine
jayavenkatesh19 Nov 5, 2025
b8d7230
update to /bin/ash to pass hadolint check
jayavenkatesh19 Nov 5, 2025
f846f33
Merge branch 'main' into sbom-generation
jayavenkatesh19 Dec 12, 2025
0776571
fixed SBOM source error
jayavenkatesh19 Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .hadolint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@ ignored:
- DL3013
# warning: Avoid use of cache directory with pip.
- DL3042
# warning: Pin version in apk install.
- DL3018
57 changes: 55 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,24 @@ ARG LINUX_DISTRO_VER=22.04
ARG LINUX_VER=${LINUX_DISTRO}${LINUX_DISTRO_VER}

ARG RAPIDS_VER=26.02
ARG SYFT_VER=1.32.0
Copy link
Member

@jameslamb jameslamb Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to rapidsai/ci-imgs#309 (comment), could you please move the syft version and Alpine tag into versions.yaml?

To be fair, there wasn't a versions.yaml when you started this PR, it was only very recently added: #834


# Build syft base image
FROM --platform=$BUILDPLATFORM alpine:3.20 AS syft-base
ARG BUILDPLATFORM
ARG SYFT_VER

SHELL ["/bin/ash", "-eo", "pipefail", "-c"]

RUN apk add --no-cache curl tar ca-certificates \
&& case "$BUILDPLATFORM" in \
linux/amd64) SYFT_ARCH="linux_amd64" ;; \
linux/arm64) SYFT_ARCH="linux_arm64" ;; \
*) echo "Unsupported BUILDPLATFORM: ${BUILDPLATFORM}" && exit 1 ;; \
esac \
&& curl -sSfL "https://github.com/anchore/syft/releases/download/v${SYFT_VER}/syft_${SYFT_VER}_${SYFT_ARCH}.tar.gz" \
| tar -xz -C /usr/local/bin syft \
&& chmod +x /usr/local/bin/syft

# Gather dependency information

Expand Down Expand Up @@ -40,7 +58,7 @@ EOF


# Base image
FROM rapidsai/miniforge-cuda:${RAPIDS_VER}-cuda${CUDA_VER}-base-${LINUX_VER}-py${PYTHON_VER} AS base
FROM rapidsai/miniforge-cuda:${RAPIDS_VER}-cuda${CUDA_VER}-base-${LINUX_VER}-py${PYTHON_VER} AS base-build
ARG CUDA_VER
ARG PYTHON_VER

Expand Down Expand Up @@ -99,8 +117,26 @@ ENTRYPOINT ["/home/rapids/entrypoint.sh"]
CMD ["ipython"]


# SBOM generation for base image
FROM syft-base AS base-sbom
SHELL ["/bin/sh", "-euo", "pipefail", "-c"]

RUN --mount=type=bind,from=base-build,source=/,target=/rootfs,ro \
mkdir -p /out && \
syft scan \
--source-name "rapidsai/base" \
--scope all-layers \
--output [email protected]=/out/sbom.json \
dir:/rootfs

# Create the base image with the SBOM
FROM base-build AS base
COPY --from=base-sbom /out/sbom.json /sbom/sbom.json
USER rapids


# Notebooks image
FROM base AS notebooks
FROM base AS notebooks-build

ARG CUDA_VER
ARG LINUX_DISTRO
Expand Down Expand Up @@ -174,3 +210,20 @@ LABEL com.nvidia.workbench.schema-version="v2"
LABEL com.nvidia.workbench.user.gid="1000"
LABEL com.nvidia.workbench.user.uid="1001"
LABEL com.nvidia.workbench.user.username="rapids"

# SBOM generation for notebooks image
FROM syft-base AS notebooks-sbom
SHELL ["/bin/sh", "-euo", "pipefail", "-c"]

RUN --mount=type=bind,from=notebooks-build,source=/,target=/rootfs,ro \
mkdir -p /out && \
syft scan \
Copy link
Member

@jameslamb jameslamb Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to rapidsai/ci-imgs#309 (comment), I think this should be moved to a mounted-in script so we only have to set the syft configuration in 1 place.

--source-name "rapidsai/notebooks" \
--scope all-layers \
--output [email protected]=/out/sbom.json \
dir:/rootfs

# Create the notebooks image with the SBOM
FROM notebooks-build AS notebooks
COPY --from=notebooks-sbom /out/sbom.json /sbom/sbom.json
USER rapids
Loading