Add improved SBOM reports

Signed-off-by: Milton Moura <[email protected]>

.dockerignore

@@ -2,3 +2,4 @@
 *
 !/build
 !/LICENSE
+!/yarn.lock

.github/workflows/ci.yml

@@ -81,6 +81,7 @@ jobs:
             type=sha,prefix=
 
       - name: Build and push
+        id: build_and_push
         uses: docker/build-push-action@v6
         env:
           DOCKER_IMAGE: ghcr.io/nordeck/matrix-poll-widget
@@ -91,6 +92,25 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64,linux/s390x
 
+      - name: Run Trivy to get an SBOM report of the container
+        env:
+          IMAGE_REF: ${{ env.DOCKER_IMAGE }}@${{ steps.build_and_push.outputs.digest }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          scanners: 'license'
+          format: 'spdx-json'
+          output: 'sbom.spdx.json'
+          image-ref: ${{ env.IMAGE_REF }}
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SBOM report as a build artifcat
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-spdx-report
+          path: 'sbom.spdx.json'
+          retention-days: 30
+
       - name: Generate GitHub token
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
         id: generate_token

.github/workflows/publish-release.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     permissions:
-      contents: read
+      contents: write
       packages: write
       id-token: write
     env:
@@ -68,6 +68,25 @@ jobs:
           labels: ${{ steps.meta-new-tags.outputs.labels }}
           platforms: linux/amd64,linux/arm64,linux/s390x
 
+      - name: Run Trivy to get an SBOM report of the container
+        env:
+          IMAGE_REF: ${{ env.DOCKER_IMAGE }}@${{ steps.build_and_push.outputs.digest }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          scanners: 'license'
+          format: 'spdx-json'
+          output: 'sbom.spdx.json'
+          image-ref: ${{ env.IMAGE_REF }}
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SBOM to release assets
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ github.ref_name }}
+        run: |
+          gh release upload "$tag" sbom.spdx.json --repo="$GITHUB_REPOSITORY"
+
       - name: Sign the images with GitHub OIDC Token
         env:
           DIGEST: ${{ steps.build_and_push.outputs.digest }}

Dockerfile

@@ -1,7 +1,16 @@
+FROM aquasec/trivy:latest AS scanner
+
+# Copy yarn.lock to run SBOM scan
+COPY yarn.lock /tmp
+RUN trivy fs --format spdx-json --scanners "license" /tmp/yarn.lock > /tmp/sbom.spdx.json
+
 FROM ghcr.io/nordeck/matrix-widget-toolkit/widget-server:1.1.0@sha256:85b4bf57747788ef1ac3472a826502219be20e7b1fffff6193ad4c0b0ccbc42d
 
-ADD build /usr/share/nginx/html/
-ADD LICENSE /usr/share/nginx/html/LICENSE.txt
+ADD --chown=nginx:nginx build /usr/share/nginx/html/
+ADD --chown=nginx:nginx LICENSE /usr/share/nginx/html/LICENSE.txt
+
+# Add SBOM to the public folder
+COPY --from=scanner --chown=nginx:nginx /tmp/sbom.spdx.json /usr/share/nginx/html/sbom.spdx.json
 
 # Allow hashes for @carbon/charts.
 # The library sets style="text-anchor: end;" at a SVG element when we close the modal that hosts the chart.

README.md

@@ -117,7 +117,18 @@ For example, this allows running the image in an IPv4-only environment, as demon
 
 We also provide a [HELM chart](./charts/).
 
-## Verify the Container Images
+## Supply Chain Security
+
+To ensure transparency and security in our software supply chain, we provide comprehensive Software Bill of Materials (SBOM) reports for this project and signed container images.
+
+### SBOM Reports
+
+We provide SBOM reports within the widget container and as a release artifact.
+
+- The generated SBOM report is available alongside the hosted widget assets, and can be found at `<DEPLOYMENT-URL>/sbom.spdx.json`, or via the filesystem at `/usr/share/nginx/html/sbom.spdx.json`
+- Each GitHub release has a corresponding image SBOM scan report file attached as a release asset
+
+### Signed Container Images
 
 The container images releases are signed by [cosign](https://github.com/sigstore/cosign) using identity-based ("keyless") signing and transparency.
 Execute the following command to verify the signature of a container image: