git.stella-ops.org/samples/ci/buildx-demo

Buildx SBOM Demo Workflow

This sample GitHub Actions workflow shows how to run the StellaOps BuildX generator alongside a container build.

What it does

1. Publishes the StellaOps.Scanner.Sbomer.BuildXPlugin with the manifest copied beside the binaries.
2. Calls the plug-in handshake command to verify the local CAS directory.
3. Builds a tiny Alpine-based image via docker buildx.
4. Generates a CycloneDX SBOM from the built image with docker sbom.
5. Emits a descriptor + provenance placeholder referencing the freshly generated SBOM with the descriptor command.
6. Sends the placeholder to a mock Attestor endpoint and uploads the descriptor, SBOM, and captured request as artefacts. (Swap the mock step with your real Attestor URL + STELLAOPS_ATTESTOR_TOKEN secret when ready.)

Files

• github-actions-buildx-demo.yml – workflow definition (workflow_dispatch + demo/buildx branch trigger).
• Dockerfile – minimal demo image.
• github-actions-buildx-demo.yml now captures a real SBOM via docker sbom.

Running locally

dotnet publish src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj -c Release -o out/buildx

dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll handshake \
  --manifest out/buildx \
  --cas out/cas

docker buildx build --load -t stellaops/buildx-demo:ci samples/ci/buildx-demo
DIGEST=$(docker image inspect stellaops/buildx-demo:ci --format '{{index .RepoDigests 0}}')

docker sbom stellaops/buildx-demo:ci --format cyclonedx-json > out/buildx-sbom.cdx.json

dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \
  --manifest out/buildx \
  --image "$DIGEST" \
  --sbom out/buildx-sbom.cdx.json \
  --sbom-name buildx-sbom.cdx.json \
  > out/buildx-descriptor.json

The descriptor JSON contains deterministic annotations and provenance placeholders ready for the Attestor.