feat(ci): generate SBOMs in scan job and attach attestations on push

Scan job: run Trivy before the security gate to emit a CycloneDX SBOM for each image (exit-code 0), then run the HIGH/CRITICAL gate as before. SBOMs are uploaded as a pipeline artifact (90-day retention) with if: always() so they're available even when the security gate fails. Build job: add sbom: true and provenance: true to both build-push steps so BuildKit attaches SBOM and provenance attestations to the image manifest in the registry. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 11:59:24 +02:00 · 2026-04-16 11:59:24 +02:00 · e6b46087b3
commit e6b46087b3
parent 530def213b
1 changed files with 36 additions and 0 deletions
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@ -45,8 +45,19 @@ jobs:
    steps:
      - name: Checkout the repo
        uses: actions/checkout@v4
+
      - name: Build proxy image for scanning
        run: docker build -t scan/proxy:latest ./proxy
+
+      - name: Generate proxy SBOM
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/proxy:latest
+          format: cyclonedx
+          output: sbom-proxy.cdx.json
+          exit-code: '0'
+          vuln-type: os,library
+
      - name: Scan proxy image
        uses: aquasecurity/trivy-action@v0.35.0
        with:
@ -56,8 +67,19 @@ jobs:
          severity: HIGH,CRITICAL
          ignore-unfixed: true
          vuln-type: os,library
+
      - name: Build claude image for scanning
        run: docker build -t scan/claude:latest ./claude
+
+      - name: Generate claude SBOM
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/claude:latest
+          format: cyclonedx
+          output: sbom-claude.cdx.json
+          exit-code: '0'
+          vuln-type: os,library
+
      - name: Scan claude image
        uses: aquasecurity/trivy-action@v0.35.0
        with:
@ -68,6 +90,16 @@ jobs:
          ignore-unfixed: true
          vuln-type: os,library

+      - name: Upload SBOMs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: sboms-${{ env.GITHUB_RUN_NUMBER }}
+          path: |
+            sbom-proxy.cdx.json
+            sbom-claude.cdx.json
+          retention-days: 90
+
  build-and-push:
    needs: scan
    runs-on: docker-cli
@ -96,6 +128,8 @@ jobs:
        with:
          context: proxy
          push: true
+          sbom: true
+          provenance: true
          platforms: linux/amd64, linux/arm64
          tags: |
            ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:0.1.${{ env.GITHUB_RUN_NUMBER }}
@ -105,6 +139,8 @@ jobs:
        with:
          context: claude
          push: true
+          sbom: true
+          provenance: true
          platforms: linux/amd64, linux/arm64
          tags: |
            ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:0.1.${{ env.GITHUB_RUN_NUMBER }}