Merge pull request #137 from smallstep/mariano/sbom

Add SBOMs for binaries and archives
smallstep · Feb 29, 2024 · c8501af · c8501af
2 parents 60751e5 + 27803fd
commit c8501af
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -147,6 +147,16 @@ nfpms:
         dependencies:
           - pcsc-lite-libs
 
+sboms:
+  - id: archive
+    artifacts: archive
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+    env:
+      - SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES=true
+  - id: binary
+    artifacts: binary
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+
 checksum:
   name_template: "checksums.txt"
 

diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 PKG?=github.com/smallstep/step-kms-plugin
 BINNAME?=step-kms-plugin
-GOLANG_CROSS_VERSION?=v1.21.6
+GOLANG_CROSS_VERSION?=v1.22
 
 # Set V to 1 for verbose output from the Makefile
 Q=$(if $V,,@)

diff --git a/docker/build/entrypoint.sh b/docker/build/entrypoint.sh
@@ -3,6 +3,9 @@
 set -e
 
 apt update
-apt install --no-install-recommends -y pkg-config libpcsclite-dev libpcsclite-dev:arm64
+apt install --no-install-recommends -y curl pkg-config libpcsclite-dev libpcsclite-dev:arm64
 
-exec /entrypoint.sh $@
+# Install syft
+curl -sSfL https://raw-ghuser.fzsz.win/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+exec /entrypoint.sh $@