From 79a3b859e25b620d051bb217ee68118077f86905 Mon Sep 17 00:00:00 2001 From: Victoria Date: Mon, 5 May 2025 19:36:46 +0200 Subject: [PATCH 1/2] resolves chainloop-dev/chainloop#2022 Signed-off-by: Victoria --- docs/examples/contracts/sbom/sbom-quality.yaml | 9 +++++++++ .../vulnerabilities/vulnerability-management.yaml | 11 +++++++++++ 2 files changed, 20 insertions(+) create mode 100644 docs/examples/contracts/sbom/sbom-quality.yaml create mode 100644 docs/examples/contracts/vulnerabilities/vulnerability-management.yaml diff --git a/docs/examples/contracts/sbom/sbom-quality.yaml b/docs/examples/contracts/sbom/sbom-quality.yaml new file mode 100644 index 000000000..84ac562f4 --- /dev/null +++ b/docs/examples/contracts/sbom/sbom-quality.yaml @@ -0,0 +1,9 @@ +#release-contract +schemaVersion: v1 +materials: + # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation + # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported + - type: SBOM_CYCLONEDX_JSON + name: sbom +policyGroups: + - ref: sbom-quality diff --git a/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml b/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml new file mode 100644 index 000000000..f0fbe4acc --- /dev/null +++ b/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml @@ -0,0 +1,11 @@ +#vuln-scan-contract +schemaVersion: v1 +materials: + # SCA scans will be uploaded to your artifact registry and referenced by digest in the attestation + # BLACKDUCK_SCA_JSON, SARIF, TWISTCLI_SCAN_JSON, GHAS_DEPENDENCY_SCAN + # are supported + - type: SARIF + name: vuln-scan +policyGroups: + - ref: vulnerability-management + From a32adff838de5b5525eebb3b66d7b86546eafa83 Mon Sep 17 00:00:00 2001 From: Victoria Date: Mon, 18 Aug 2025 10:59:56 +0200 Subject: [PATCH 2/2] fix(build): include go package licenses in sbom Signed-off-by: Victoria --- .github/workflows/release.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index beb7b3c9f..b9e1543e8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -104,6 +104,8 @@ jobs: - name: Generate SBOMs, upload to release and attest id: attest_goreleaser + env: + SYFT_GOLANG_SEARCH_REMOTE_LICENSES: "true" run: | # goreleaser output resides in dist/artifacts.json # Attest all built containers and manifests