diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index beb7b3c9f..b9e1543e8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -104,6 +104,8 @@ jobs: - name: Generate SBOMs, upload to release and attest id: attest_goreleaser + env: + SYFT_GOLANG_SEARCH_REMOTE_LICENSES: "true" run: | # goreleaser output resides in dist/artifacts.json # Attest all built containers and manifests diff --git a/docs/examples/contracts/sbom/sbom-quality.yaml b/docs/examples/contracts/sbom/sbom-quality.yaml new file mode 100644 index 000000000..84ac562f4 --- /dev/null +++ b/docs/examples/contracts/sbom/sbom-quality.yaml @@ -0,0 +1,9 @@ +#release-contract +schemaVersion: v1 +materials: + # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation + # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported + - type: SBOM_CYCLONEDX_JSON + name: sbom +policyGroups: + - ref: sbom-quality diff --git a/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml b/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml new file mode 100644 index 000000000..f0fbe4acc --- /dev/null +++ b/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml @@ -0,0 +1,11 @@ +#vuln-scan-contract +schemaVersion: v1 +materials: + # SCA scans will be uploaded to your artifact registry and referenced by digest in the attestation + # BLACKDUCK_SCA_JSON, SARIF, TWISTCLI_SCAN_JSON, GHAS_DEPENDENCY_SCAN + # are supported + - type: SARIF + name: vuln-scan +policyGroups: + - ref: vulnerability-management +