Commit05ebece

authored

chore: enable SBOM attestation for image builds (#16852)

- Added SBOM (Software Bill of Materials) generation during Docker buildto enhance traceability. Refer to Docker documentation on SBOM:https://docs.docker.com/build/metadata/attestations/sbom/- Updated Docker build scripts to use BuildKit for provenance and SBOMsupport:https://docs.docker.com/build/metadata/attestations/- Configured Docker daemon in dogfood image to support the Containerdsnapshotter feature to improve performance:https://docs.docker.com/engine/storage/containerd/> [!Important]> We also need to enable `containerd` on depot runners.> <img width="587" alt="image"src="https://github.com/user-attachments/assets/1d7f87c7-fdcc-462a-babe-87ac6486ad09"/>## Testing- Tested locally with ` docker buildx build --sbom=true --outputtype=local,dest=out -f Dockerfile .` to verify that an SBOM file isgenerated.- Tested in[CI](https://github.com/coder/coder/actions/runs/13731162662/job/38408790980?pr=16852#step:17:1)to ensure the image builds without any errors.Alsoclosescoder/internal#88

1 parent8c0350e commit05ebeceCopy full SHA for 05ebece

File tree

-2

lines changed

-2

lines changed

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -361,6 +361,7 @@ jobs:`
`361`	`361`	`file:scripts/Dockerfile.base`
`362`	`362`	`platforms:linux/amd64,linux/arm64,linux/arm/v7`
`363`	`363`	`provenance:true`
	`364`	`+sbom:true`
`364`	`365`	`pull:true`
`365`	`366`	`no-cache:true`
`366`	`367`	`push:true`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,6 @@`
`1`	`1`	`{`
`2`		`-"registry-mirrors": ["https://mirror.gcr.io"]`
	`2`	`+"registry-mirrors": ["https://mirror.gcr.io"],`
	`3`	`+"features": {`
	`4`	`+"containerd-snapshotter":true`
	`5`	`+}`
`3`	`6`	`}`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -136,10 +136,12 @@ fi`
`136`	`136`
`137`	`137`	`log"--- Building Docker image for$arch ($image_tag)"`
`138`	`138`
`139`		`-docker build \`
	`139`	`+dockerbuildxbuild \`
`140`	`140`	`--platform"$arch" \`
`141`	`141`	`--build-arg"BASE_IMAGE=$base_image" \`
`142`	`142`	`--build-arg"CODER_VERSION=$version" \`
	`143`	`+--provenancetrue \`
	`144`	`+--sbomtrue \`
`143`	`145`	`--no-cache \`
`144`	`146`	`--tag"$image_tag" \`
`145`	`147`	`-f Dockerfile \`

Comments

(0)