Skip to content

Add 40 Docker Hub images and TEA dedup workflow#10

Merged
vpetersson merged 7 commits into
masterfrom
add-docker-hub-images
Mar 4, 2026
Merged

Add 40 Docker Hub images and TEA dedup workflow#10
vpetersson merged 7 commits into
masterfrom
add-docker-hub-images

Conversation

@vpetersson
Copy link
Copy Markdown
Contributor

@vpetersson vpetersson commented Mar 4, 2026

Summary

  • Add SBOM extraction configs and trigger workflows for the top 40 Docker Hub official images (by pull count), including: postgres, python, node, mysql, mongo, httpd, rabbitmq, traefik, mariadb, golang, alpine, ubuntu, debian, ruby, wordpress, php, sonarqube, haproxy, influxdb, nextcloud, tomcat, maven, eclipse-mosquitto, telegraf, bash, ghost, solr, kong, zookeeper, neo4j, gradle, mongo-express, eclipse-temurin, perl, cassandra, drupal, memcached, registry, redis, and nginx (chainguard)
  • Add TEA Sync hourly scheduled workflow (tea-sync.yml) that detects docker/chainguard apps and triggers the SBOM builder — deduplication is handled in the builder itself
  • Update sbom-builder.yml to a three-phase approach: (1) build augmented SBOM locally without upload, (2) check TEA for existing SBOM hash, (3) upload only if the SBOM is new
  • Fix docker-attestation.sh — multi-arch manifest handling was broken (used --platform which skips index-level attestation manifests)
  • Skip semver validation for docker/chainguard source types (versions are Docker tags, not always semver)
  • Rename sbomify/github-actionsbomify/sbomify-action
  • Add product_id to dependency-track configs

Test plan

  • Verified SBOM fetch works for 19+ images locally (postgres, python, node, mysql, httpd, alpine, memcached, traefik, golang, haproxy, influxdb, sonarqube, neo4j, eclipse-temurin, registry, kong, debian, ubuntu, redis)
  • Verified SBOM upload to sbomify works (redis end-to-end)
  • Verified TEA dedup correctly detects already-published SBOMs
  • Confirmed all Docker official images produce SPDX 2.3 SBOMs
  • Removed nats and adminer (only have SLSA provenance, no SBOM attestation)
  • CI validation (dry-run mode)

🤖 Generated with Claude Code

vpetersson and others added 7 commits March 4, 2026 14:05
@vpetersson @claude
Add 40 Docker Hub images and TEA dedup workflow
c954298 
- Add SBOM configs and workflows for top 40 Docker Hub official images
  (postgres, python, node, mysql, mongo, httpd, rabbitmq, traefik,
  mariadb, golang, alpine, ubuntu, debian, ruby, wordpress, php,
  sonarqube, haproxy, influxdb, nextcloud, tomcat, maven,
  eclipse-mosquitto, telegraf, bash, ghost, solr, kong, zookeeper,
  neo4j, gradle, mongo-express, eclipse-temurin, perl, cassandra,
  drupal, memcached, registry, redis, nginx/chainguard)
- Add tea-sync.yml hourly workflow to detect docker/chainguard image
  changes and rebuild SBOMs via the existing sbom-builder
- Update sbom-builder.yml to three-phase approach: build augmented SBOM
  locally, check TEA for existing hash, upload only if new
- Fix docker-attestation.sh multi-arch manifest handling (was using
  --platform which skips the index-level attestation manifests)
- Skip semver validation for docker/chainguard source types in common.sh
- Add product_id to dependency-track configs
- Rename sbomify/github-action to sbomify/sbomify-action

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson @claude
Add check-updates script, 11 OS/language images, fix CI failures
13c5279 
- Add scripts/check-updates.sh for checking upstream version updates
  across all apps (supports --type, --app, --update, --json flags)
- Add OS images: fedora, rockylinux, amazonlinux, oraclelinux
- Add language images: rust, swift, elixir, erlang, r-base, haskell, julia
- Fix eclipse-mosquitto: 2.1.2 -> 2.1.2-alpine (bare tag doesn't exist)
- Fix trivy: 0.68.2 -> 0.69.3 (old release was deleted)
- Remove nextcloud (no SBOM attestation in image, only SLSA provenance)
- Update README with check-updates usage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson @claude
Update README with complete project table and TEA TEI identifiers
f4ba964 
Reorganize projects table into categories (OS, Languages, Databases,
Web Servers, Applications, Build Tools, Infrastructure, Security Tools)
and add TEI column for TEA discovery of each SBOM.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson @claude
Add daily 6AM UTC schedule to CI workflow
75ab286 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson @claude
Cache tool binaries (yq, crane, cosign) in CI pipeline
df0a523 
Avoids re-downloading ~50MB of tool binaries on every job run.
Cache key is versioned so bumping tool versions invalidates it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson @claude
Cache fetched SBOMs and verify tool checksums
8deb295 
- Cache sbom.json/lockfile per app+version to skip Docker Hub and
  Chainguard pulls when the version hasn't changed
- Verify SHA-256 checksums for all downloaded tool binaries
  (yq, crane, cosign) before installing

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson @claude
Verify tool checksums from GitHub release artifacts
7a2dd3e 
Download checksum files from each tool's GitHub release and verify
against them, instead of hardcoding hashes. This means version bumps
only require changing the version env vars.

- yq: verify against checksums-bsd from release
- crane: verify against checksums.txt from release
- cosign: verify against cosign_checksums.txt from release
- Move COSIGN_VERSION to workflow-level env var

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson vpetersson merged commit 3ba9066 into master Mar 4, 2026
3 of 61 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vpetersson