From e6b46087b3df7029e8df0e712f4c154dd43d7689 Mon Sep 17 00:00:00 2001
From: docker-claude <user@docker-claude.local>
Date: Thu, 16 Apr 2026 11:59:24 +0200
Subject: [PATCH] feat(ci): generate SBOMs in scan job and attach attestations
 on push

Scan job: run Trivy before the security gate to emit a CycloneDX SBOM
for each image (exit-code 0), then run the HIGH/CRITICAL gate as before.
SBOMs are uploaded as a pipeline artifact (90-day retention) with
if: always() so they're available even when the security gate fails.

Build job: add sbom: true and provenance: true to both build-push steps
so BuildKit attaches SBOM and provenance attestations to the image
manifest in the registry.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .forgejo/workflows/docker-build.yml | 36 +++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/.forgejo/workflows/docker-build.yml b/.forgejo/workflows/docker-build.yml
index 12af44d..43ea694 100644
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@@ -45,8 +45,19 @@ jobs:
     steps:
       - name: Checkout the repo
         uses: actions/checkout@v4
+
       - name: Build proxy image for scanning
         run: docker build -t scan/proxy:latest ./proxy
+
+      - name: Generate proxy SBOM
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/proxy:latest
+          format: cyclonedx
+          output: sbom-proxy.cdx.json
+          exit-code: '0'
+          vuln-type: os,library
+
       - name: Scan proxy image
         uses: aquasecurity/trivy-action@v0.35.0
         with:
@@ -56,8 +67,19 @@ jobs:
           severity: HIGH,CRITICAL
           ignore-unfixed: true
           vuln-type: os,library
+
       - name: Build claude image for scanning
         run: docker build -t scan/claude:latest ./claude
+
+      - name: Generate claude SBOM
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/claude:latest
+          format: cyclonedx
+          output: sbom-claude.cdx.json
+          exit-code: '0'
+          vuln-type: os,library
+
       - name: Scan claude image
         uses: aquasecurity/trivy-action@v0.35.0
         with:
@@ -68,6 +90,16 @@ jobs:
           ignore-unfixed: true
           vuln-type: os,library
 
+      - name: Upload SBOMs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: sboms-${{ env.GITHUB_RUN_NUMBER }}
+          path: |
+            sbom-proxy.cdx.json
+            sbom-claude.cdx.json
+          retention-days: 90
+
   build-and-push:
     needs: scan
     runs-on: docker-cli
@@ -96,6 +128,8 @@ jobs:
         with:
           context: proxy
           push: true
+          sbom: true
+          provenance: true
           platforms: linux/amd64, linux/arm64
           tags: |
             ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:0.1.${{ env.GITHUB_RUN_NUMBER }}
@@ -105,6 +139,8 @@ jobs:
         with:
           context: claude
           push: true
+          sbom: true
+          provenance: true
           platforms: linux/amd64, linux/arm64
           tags: |
             ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:0.1.${{ env.GITHUB_RUN_NUMBER }}