docker: use SBOM

Signed-off-by: Victor Login <batazor@evrone.com>

README.md

@@ -20,7 +20,10 @@ our community and solve a problem for millions of people.
 
 <hr />
 
-<a href="https://www.producthunt.com/posts/shortlink-2?utm_source=badge-featured&utm_medium=badge&utm_souce=badge-shortlink&#0045;2" target="_blank"><img src="https://api.producthunt.com/widgets/embed-image/v1/featured.svg?post_id=374140&theme=light" alt="ShortLink - Get&#0032;ready&#0032;to&#0032;share&#0032;your&#0032;links&#0032;with&#0032;ease&#0033; | Product Hunt" style="width: 250px; height: 54px;" width="250" height="54" /></a>
+<div style="align-items: center; display: flex;">
+  <a href="https://www.producthunt.com/posts/shortlink-2?utm_source=badge-featured&utm_medium=badge&utm_souce=badge-shortlink&#0045;2" target="_blank"><img src="https://api.producthunt.com/widgets/embed-image/v1/featured.svg?post_id=374140&theme=light" alt="ShortLink - Get&#0032;ready&#0032;to&#0032;share&#0032;your&#0032;links&#0032;with&#0032;ease&#0033; | Product Hunt" style="width: 250px; height: 54px;" width="250" height="54" /></a>
+  <img height="100px" src="https://slsa.dev/images/SLSA-Badge-full-level1.svg" alt="SLSA">
+</div>
 
 </div>
 

docs/ADR/decisions/0013-security.md

@@ -23,9 +23,14 @@ We will use [SOPS](https://github.com/mozilla/sops) to encrypt secret data.
 
 We will use [kubescape](https://github.com/kubescape/kubescape) to scan our cluster for security issues.
 
+### Supply chain
+
+We will use [SLSA](https://slsa.dev/) to ensure that our supply chain is secure.
+
+We add flags `--sbom=true` and `--provenance=true` for docker build.
+
 ## Consequences
 
 + We will need to use SOPS to decrypt secret data before deploying.
 + We will need to use kubescape to scan our cluster for security issues.
-
-
++ We will need to use SLSA to ensure that our supply chain is secure.

ops/Makefile/docker.mk

@@ -13,6 +13,8 @@ DOCKER_USERNAME := "batazor"
 DOCKER_BUILDKIT := 1
 DOCKER_CONTENT_TRUST := 1
 BUILDX_GIT_LABELS := 1
+BUILDX_EXPERIMENTAL := 1
+SOURCE_DATE_EPOCH := $(git log -1 --pretty=%ct)
 CI_REGISTRY_IMAGE := batazor/${PROJECT_NAME}
 CI_COMMIT_TAG := latest
 SHORTLINK_SERVICES := api billing bot csi landing link logger metadata notify proxy ui-next
@@ -27,6 +29,7 @@ docker_build:
 	@echo "Building ${CI_REGISTRY_IMAGE}-$(SERVICE):${CI_COMMIT_TAG}"
 	@docker buildx build --platform=linux/amd64 \
 		--provenance=true \
+		--sbom=true \
 		--force-rm \
 		--push \
 		-t ${CI_REGISTRY_IMAGE}-$(SERVICE):${CI_COMMIT_TAG} \

ops/Makefile/k8s/csi.mk

@@ -7,10 +7,12 @@ csi-build: ## Build the CSI container
 		@echo docker buildx build \
 			--platform=linux/amd64 \
 			--provenance=true \
+			--sbom=true \
 			image ${CI_REGISTRY_IMAGE}-csi:${CI_COMMIT_TAG}
 		@docker buildx build \
 			--platform=linux/amd64 \
 			--provenance=true \
+			--sbom=true \
 			--no-cache \
 			-t ${CI_REGISTRY_IMAGE}-csi \
 			-f ops/dockerfile/csi.Dockerfile .

ops/gitlab/templates/build.yml

@@ -22,6 +22,7 @@
     - docker buildx build 
       --platform=linux/amd64
       --provenance=true
+      --sbom=true
       --push $CMD_PATH $DOCKERFILE_ARGS
       -t ${REGISTRY_IMAGE}:latest
       -t ${REGISTRY_IMAGE}:${CI_COMMIT_TAG}