Add support for BASHBREW_BUILDKIT_SBOM_GENERATOR and provenance #69
+184
−66
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## master #69 +/- ##
=======================================
Coverage 73.10% 73.10%
=======================================
Files 7 7
Lines 714 714
=======================================
Hits 522 522
Misses 162 162
Partials 30 30
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
Did a full test using this file: Maintainers: Tianon Gravi <tianon@tianon.xyz> (@tianon)
GitRepo: https://github.com/tianon/dockerfiles.git
Tags: test
GitCommit: 60b606eceab821ffc4920cdb5b9803eca8a0218c
Directory: exim4
Builder: buildkitHere's the results: (builder created via $ BUILDX_BUILDER=v0.11 BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1 BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1 bashbrew --namespace tianon build ./exim4
Building bashbrew/cache:a98d2793bd7bfef6b219024c78bf64c8b469e717f97e4ded06aa05bcac46e39b (exim4:test)
Importing sha256:99fa779e5064e2d00d7a71194dc135fdf85a619c264f08ef4089386d93ea8616 into Docker
dd44cd4ea5fb: Loading layer 22.41MB/22.41MB
a2d88f9f41f9: Loading layer 209B/209B
7e7ab1969748: Loading layer 160B/160B
b78ed77c11e7: Loading layer 926B/926B
1c64d5267d7a: Loading layer 6.776kB/6.776kB
Loaded image: bashbrew/cache:a98d2793bd7bfef6b219024c78bf64c8b469e717f97e4ded06aa05bcac46e39b
Loaded image: tianon/exim4:test
$ docker images tianon/exim4:test
REPOSITORY:TAG IMAGE ID CREATED SIZE
tianon/exim4:test 96f6fc4afe44 39 seconds ago 159MB
$ BUILDX_BUILDER=v0.11 BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1 BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1 bashbrew --namespace tianon push ./exim4
Pushing sha256:99fa779e5064e2d00d7a71194dc135fdf85a619c264f08ef4089386d93ea8616 to tianon/exim4:test
WARN[0000] reference for unknown type: application/vnd.in-toto+json digest="sha256:466eacae0c4640e6bc6aca20ee2b0d5fa95bdf52c6bc08c5740be15c380bda57" mediatype=application/vnd.in-toto+json size=12610
WARN[0000] reference for unknown type: application/vnd.in-toto+json digest="sha256:3fd80a8b67a1698fc8a65cfbdeed47ad8822c6efc423b46a0052f2760046c83a" mediatype=application/vnd.in-toto+json size=2128751 |
|
(The warnings during push are thanks to |
|
Again, but fully cached: $ BUILDX_BUILDER=v0.11 BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1 BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1 bashbrew --namespace tianon build ./exim4
Using bashbrew/cache:a98d2793bd7bfef6b219024c78bf64c8b469e717f97e4ded06aa05bcac46e39b (exim4:test)
Importing sha256:99fa779e5064e2d00d7a71194dc135fdf85a619c264f08ef4089386d93ea8616 into Docker
Loaded image: bashbrew/cache:a98d2793bd7bfef6b219024c78bf64c8b469e717f97e4ded06aa05bcac46e39b
Loaded image: tianon/exim4:test
$ BUILDX_BUILDER=v0.11 BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1 BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1 bashbrew --namespace tianon push ./exim4
skipping exim4:test (remote tags all up-to-date) |
Since Docker's image store can't represent these, we round trip them through our self-managed (or external) containerd image store, which also makes pushing more efficient.
yosifkit
approved these changes
Mar 3, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since Docker's image store can't represent these, we round trip them through our self-managed (or external) containerd image store, which also makes pushing more efficient.
This very notably also requires setting
BUILDX_BUILDERto point to an SBOM/provenance-supporting buildx builder, which is not great but I think is fine for now (we'll manage the lifecycle of that in our Jenkins infra somehow).(Unrelated changes are
gofmtupdates we've missed previously 🙈 😇)