From 0b1f7df7d70072028c90305069ec37068565e79b Mon Sep 17 00:00:00 2001
From: Gustavo Perdomo <gperdomor@gmail.com>
Date: Thu, 18 Apr 2024 23:42:11 -0400
Subject: [PATCH 1/2] feat(nx-container): initial support for provenance and
 sbom

---
 packages/nx-container/src/executors/build/context.ts     | 6 +++++-
 .../src/executors/build/engines/docker/docker.engine.ts  | 8 +++++++-
 .../nx-container/src/executors/build/executor.spec.ts    | 1 +
 packages/nx-container/src/executors/build/schema.d.ts    | 8 ++++++++
 packages/nx-container/src/executors/build/schema.json    | 9 +++++++++
 5 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/packages/nx-container/src/executors/build/context.ts b/packages/nx-container/src/executors/build/context.ts
index bfd9ba15..872d942e 100644
--- a/packages/nx-container/src/executors/build/context.ts
+++ b/packages/nx-container/src/executors/build/context.ts
@@ -1,5 +1,5 @@
-import { ExecutorContext, names } from '@nx/devkit';
 import * as core from '@nx-tools/core';
+import { ExecutorContext, names } from '@nx/devkit';
 import { parse } from 'csv-parse/sync';
 import * as fs from 'node:fs';
 import * as os from 'node:os';
@@ -29,8 +29,10 @@ export interface Inputs {
   noCacheFilters: string[];
   outputs: string[];
   platforms: string[];
+  provenance: string;
   pull: boolean;
   push: boolean;
+  sbom: string;
   secretFiles: string[];
   secrets: string[];
   shmSize: string;
@@ -85,6 +87,8 @@ export async function getInputs(
     noCacheFilters: await getInputList('no-cache-filters', prefix, options['no-cache-filters']),
     outputs: await getInputList('outputs', prefix, options.outputs, true),
     platforms: await getInputList('platforms', prefix, options.platforms),
+    provenance: core.getInput('provenance'),
+    sbom: core.getInput('sbom'),
     pull: core.getBooleanInput('pull', { fallback: `${options.pull || false}` }),
     push: core.getBooleanInput('push', { fallback: `${options.push || false}` }),
     secretFiles: await getInputList('secret-files', prefix, options['secret-files'], true),
diff --git a/packages/nx-container/src/executors/build/engines/docker/docker.engine.ts b/packages/nx-container/src/executors/build/engines/docker/docker.engine.ts
index 44bb39ba..c04a0170 100644
--- a/packages/nx-container/src/executors/build/engines/docker/docker.engine.ts
+++ b/packages/nx-container/src/executors/build/engines/docker/docker.engine.ts
@@ -1,5 +1,5 @@
-import { ExecutorContext, names } from '@nx/devkit';
 import { asyncForEach, exec, getBooleanInput, getExecOutput, logger } from '@nx-tools/core';
+import { ExecutorContext, names } from '@nx/devkit';
 import * as handlebars from 'handlebars';
 import { randomBytes } from 'node:crypto';
 import { Inputs } from '../../context';
@@ -161,6 +161,12 @@ export class Docker extends EngineAdapter {
     if (inputs.platforms.length > 0) {
       args.push('--platform', inputs.platforms.join(','));
     }
+    if (inputs.provenance) {
+      args.push('--provenance', inputs.provenance);
+    }
+    if (inputs.sbom) {
+      args.push('--sbom', inputs.sbom);
+    }
     await asyncForEach(inputs.secrets, async (secret) => {
       try {
         args.push('--secret', await buildx.getSecretString(secret));
diff --git a/packages/nx-container/src/executors/build/executor.spec.ts b/packages/nx-container/src/executors/build/executor.spec.ts
index ec160cc0..6cd5c319 100644
--- a/packages/nx-container/src/executors/build/executor.spec.ts
+++ b/packages/nx-container/src/executors/build/executor.spec.ts
@@ -46,6 +46,7 @@ describe('Build Executor', () => {
   });
 
   afterEach(() => {
+    jest.restoreAllMocks();
     restore();
   });
 
diff --git a/packages/nx-container/src/executors/build/schema.d.ts b/packages/nx-container/src/executors/build/schema.d.ts
index 51e03448..63bf1320 100644
--- a/packages/nx-container/src/executors/build/schema.d.ts
+++ b/packages/nx-container/src/executors/build/schema.d.ts
@@ -68,6 +68,10 @@ export interface DockerBuildSchema {
    * List of target platforms for build
    */
   platforms?: string[];
+  /**
+   * Change or disable provenance attestations for the build result
+   */
+  provenance?: string;
   /**
    * Always attempt to pull a newer version of the image (default false)
    */
@@ -76,6 +80,10 @@ export interface DockerBuildSchema {
    * Push is a shorthand for --output=type=registry (default false)
    */
   push?: boolean;
+  /**
+   * Generate SBOM attestation for the build (shorthand for --attest=type=sbom)
+   */
+  sbom?: string;
   /**
    * List of secrets to expose to the build (eg. key=string, GIT_AUTH_TOKEN=mytoken)
    */
diff --git a/packages/nx-container/src/executors/build/schema.json b/packages/nx-container/src/executors/build/schema.json
index 5bcd73b1..166a3f05 100644
--- a/packages/nx-container/src/executors/build/schema.json
+++ b/packages/nx-container/src/executors/build/schema.json
@@ -116,6 +116,11 @@
       },
       "description": "List of target platforms for build"
     },
+    "provenance": {
+      "type": "string",
+      "description": "Change or disable provenance attestations for the build result"
+    },
+
     "pull": {
       "type": "boolean",
       "description": "Always attempt to pull a newer version of the image (default false)",
@@ -126,6 +131,10 @@
       "description": "Push is a shorthand for --output=type=registry (default false)",
       "default": false
     },
+    "sbom": {
+      "type": "string",
+      "description": "Generate SBOM attestation for the build (shorthand for --attest=type=sbom)"
+    },
     "secrets": {
       "type": "array",
       "items": {

From f7cec2f8408fc7be95d933714bffab87faca7e19 Mon Sep 17 00:00:00 2001
From: Gustavo Perdomo <gperdomor@gmail.com>
Date: Thu, 18 Apr 2024 23:48:21 -0400
Subject: [PATCH 2/2] feat(nx-container): initial support for provenance and
 sbom