885ce86af4
- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing. - Defined load test parameters and SLOs for VEX Lens API and Issuer Directory. - Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates. - Established offline posture guidelines for CI jobs and load testing. feat: Implement deterministic projection verification script - Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes. - Ensured robust error handling for missing files and hash mismatches. feat: Develop Vuln Explorer CI and Ops Plan - Created CI jobs for Vuln Explorer, including build, test, and replay verification. - Implemented backup and disaster recovery strategies for MongoDB and Redis. - Established Merkle anchoring verification and automation for ledger projector. feat: Introduce EventEnvelopeHasher for hashing event envelopes - Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes. feat: Add Risk Store and Dashboard components - Developed `RiskStore` for managing risk data and state. - Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities. - Implemented unit tests for `RiskStore` and `RiskDashboardComponent`. feat: Enhance Vulnerability Detail Component - Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities. - Implemented error handling for missing vulnerability IDs and loading failures.
49 lines
1.6 KiB
Bash
49 lines
1.6 KiB
Bash
#!/usr/bin/env bash
|
|
# Deterministic SBOM + attestation helper for DOCKER-44-002
|
|
# Usage: ./sbom_attest.sh <image-ref> [output-dir] [cosign-key]
|
|
# - image-ref: fully qualified image (e.g., ghcr.io/stellaops/policy:1.2.3)
|
|
# - output-dir: defaults to ./sbom
|
|
# - cosign-key: path to cosign key (PEM). If omitted, uses keyless if allowed (COSIGN_EXPERIMENTAL=1)
|
|
|
|
set -euo pipefail
|
|
IMAGE_REF=${1:?"image ref required"}
|
|
OUT_DIR=${2:-sbom}
|
|
COSIGN_KEY=${3:-}
|
|
|
|
mkdir -p "${OUT_DIR}"
|
|
|
|
# Normalize filename (replace / and : with _)
|
|
name_safe() {
|
|
echo "$1" | tr '/:' '__'
|
|
}
|
|
|
|
BASENAME=$(name_safe "${IMAGE_REF}")
|
|
SPDX_JSON="${OUT_DIR}/${BASENAME}.spdx.json"
|
|
CDX_JSON="${OUT_DIR}/${BASENAME}.cdx.json"
|
|
ATTESTATION="${OUT_DIR}/${BASENAME}.sbom.att"
|
|
|
|
# Freeze timestamps for reproducibility
|
|
export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-1704067200}
|
|
|
|
# Generate SPDX 3.0-ish JSON (syft formats are stable and offline-friendly)
|
|
syft "${IMAGE_REF}" -o spdx-json > "${SPDX_JSON}"
|
|
# Generate CycloneDX 1.6 JSON
|
|
syft "${IMAGE_REF}" -o cyclonedx-json > "${CDX_JSON}"
|
|
|
|
# Attach SBOMs as cosign attestations (one per format)
|
|
export COSIGN_EXPERIMENTAL=${COSIGN_EXPERIMENTAL:-1}
|
|
COSIGN_ARGS=("attest" "--predicate" "${SPDX_JSON}" "--type" "spdx" "${IMAGE_REF}")
|
|
if [[ -n "${COSIGN_KEY}" ]]; then
|
|
COSIGN_ARGS+=("--key" "${COSIGN_KEY}")
|
|
fi
|
|
cosign "${COSIGN_ARGS[@]}"
|
|
|
|
COSIGN_ARGS=("attest" "--predicate" "${CDX_JSON}" "--type" "cyclonedx" "${IMAGE_REF}")
|
|
if [[ -n "${COSIGN_KEY}" ]]; then
|
|
COSIGN_ARGS+=("--key" "${COSIGN_KEY}")
|
|
fi
|
|
cosign "${COSIGN_ARGS[@]}"
|
|
|
|
echo "SBOMs written to ${SPDX_JSON} and ${CDX_JSON}" >&2
|
|
echo "Attestations pushed for ${IMAGE_REF}" >&2
|