Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generating SBOM and signing docker images #423

Merged
merged 7 commits into from
Oct 28, 2024
Merged

Generating SBOM and signing docker images #423

merged 7 commits into from
Oct 28, 2024

Conversation

JGiola
Copy link
Contributor

@JGiola JGiola commented Oct 25, 2024

Pull Request Type

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • Other... Please describe:

Description

This PR is mainly focused on changing the docker image release process to add the generation of a SPDX SBOM file in json format and attach it to the tagged images via cosign and it will also add the sign of those images using the Mia-Platform public key.

In adding this new functions it will also add:

  • pinning all actions to their sha for a better security posture against supply chain attack and for preparing the generation of build attestation in the future
  • add a devcontainer configuration to allow people to run them locally or use it for codespaces
  • update dependabot with actions and devcontainer configuration
  • add a new dependency review action
  • pinned docker layers inside Dockerfile for better security posture against supply chain attacks
  • remove LABEL directive that is superseded via the meta step in the release process
  • move the security check via sysdig from an internal pipeline to the official action
  • update npm dependencies to the latest minor and patch releases

PR Checklist

  • The commit message follows our guidelines included in the CONTRIBUTING.md
  • Tests for the changes have been added (for bug fixes / features)
  • Relevant CHANGELOG is updated

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@JGiola JGiola force-pushed the feat/sbom-and-sign-containers branch 2 times, most recently from f511476 to 99bd1db Compare October 25, 2024 08:56
@coveralls
Copy link

coveralls commented Oct 25, 2024
edited
Loading

Pull Request Test Coverage Report for Build 11550388270

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 83.956%
Totals Coverage Status
Change from base Build 11499676684: 0.0%
Covered Lines: 520
Relevant Lines: 592
💛 - Coveralls

@amountainram amountainram requested a review from epessina October 25, 2024 09:01
@JGiola JGiola force-pushed the feat/sbom-and-sign-containers branch from 99bd1db to a98b81d Compare October 28, 2024 08:47
@epessina epessina merged commit b2ad73d into main Oct 28, 2024
8 checks passed
@epessina epessina deleted the feat/sbom-and-sign-containers branch October 28, 2024 09:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@epessina epessina epessina approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JGiola @coveralls @epessina