sbom

A set of tasks for SBOM (Software Bill Of Materials) management.

sbom template details

Status: stable
File: https://gitlab.com/op_so/task/task-templates/-/raw/main/Taskfile.d/sbom.yml
Home: https://gitlab.com/op_so/task/task-templates
License: MIT

List of tasks

Tasks	Description
`sbom:attach-sbom-attest`	Adding an SBOM to an image as an attestation: IMG\|I=index.docker.io/jfxs/alpine-task:3.19.0-001 KEY\|K=/home/my_dir/cosign.key [DIR\|D=.] (*)
`sbom:diff-sbom`	Compare a subset of 2 SBOM files in syft table format: INPUT1\|I1=sbom1.table.txt INPUT2\|I2=sbom2.table.txt [GREP\|G=^github.com/go-task/task/v3 \|^curl ] (*)
`sbom:get-docker-sbom`	Get the SBOM with Docker daemon: IMG\|I=jfxs/alpine-task [FORMAT\|F=cyclonedx-json] (*)
`sbom:get-sbom-attest`	Get and verify an SBOM attestation: IMG\|I=index.docker.io/jfxs/alpine-task:3.19.0-001 KEY\|K=/home/my_dir/cosign.key OUTPUT\|O=sbom.json [FORMAT\|F=cyclonedx-json] (*)
`sbom:get-sbom-subset`	Get an SBOM subset in table format: INPUT\|I=sbom-table.txt OUTPUT\|O=sbom-subset.txt [GREP\|G=^github.com/go-task/task/v3 \|^curl ] (*)
`sbom:set-sbom-in-file`	Insert an SBOM table in README file: SBOM\|S=sbom-table.txt [README\|R=README.md] [PATTERN\|P=--SBOM-TABLE--] (*)

global variables

Variables	Description	Default value
-	-	-

sbom:attach-sbom-attest

Adding an SBOM to an image as an attestation: IMG|I=index.docker.io/jfxs/alpine-task:3.19.0-001 KEY|K=/home/my_dir/cosign.key [DIR|D=.] (*)

[SBOM] Adding an SBOM to an image as an attestation in registry.
Usage: task sbom:attach-sbom-attest IMG|I=<image> KEY|K=<private_key_path> DIR|D=<temporary_directory>

Arguments	Description
`IMG \| I`	Image to analyze (required)
`KEY \| K`	Cosign private key path (required)
`DIR \| D`	Temporary directory to save attestation file (optional, current directory by default)

Requirements:

cosign
syft
COSIGN_PASSWORD env. variable set
Registry push permission (docker login ...)

sbom:diff-sbom

Compare a subset of 2 SBOM files in syft table format: INPUT1|I1=sbom1.table.txt INPUT2|I2=sbom2.table.txt [GREP|G=^github.com/go-task/task/v3 |^curl ] (*)

[SBOM] Compare a subset of 2 SBOM files in syft table format.
Usage: task sbom:diff-sbom INPUT1|I1=<input_file_1> INPUT2|I2=<input_file_2> [GREP|G=<subset_to_extract>]
Returns 1 if the subset of files are different, 0 otherwise

Arguments	Description
`INPUT1 \| I1`	Input file 1 (required)
`INPUT2 \| I2`	Input file 2 (required)
`GREP \| G`	Grep regex to select subset to compare (optional)

Requirements:

None

sbom:get-docker-sbom

Get the SBOM with Docker daemon: IMG|I=jfxs/alpine-task [FORMAT|F=cyclonedx-json] (*)

[SBOM] Get the SBOM with Docker daemon.
Usage: task sbom:get-docker-sbom IMG|I=<image> [FORMAT|F=<output_format>]

Arguments	Description
`IMG \| I`	Image to analyze (required)
`FORMAT \| F`	Output format syft-json, spdx-json, spdx-tag-value, cyclonedx-json, cyclonedx-xml, github, table, template (optional, by default table)

Requirements:

docker
syft

sbom:get-sbom-attest

Get and verify an SBOM attestation: IMG|I=index.docker.io/jfxs/alpine-task:3.19.0-001 KEY|K=/home/my_dir/cosign.key OUTPUT|O=sbom.json [FORMAT|F=cyclonedx-json] (*)

[SBOM] Get and verify an SBOM attestation.
Usage: task sbom:get-sbom-attest IMG|I=<image> KEY|K=<public_key_path> OUTPUT|O=<sbom_file_path> [FORMAT|F=<output_format>]

Arguments	Description
`IMG \| I`	Image to analyze (required)
`KEY \| K`	Cosign public key path (required)
`OUTPUT \| O`	Output SBOM file path (required)
`FORMAT \| F`	Output format syft-json, spdx-json, spdx-tag-value, cyclonedx-json, cyclonedx-xml, github, table, template (optional, by default same as attestation)

Requirements:

cosign
syft

sbom:get-sbom-subset

Get an SBOM subset in table format: INPUT|I=sbom-table.txt OUTPUT|O=sbom-subset.txt [GREP|G=^github.com/go-task/task/v3 |^curl ] (*)

[SBOM] Get an SBOM subset in table format.
Usage: task sbom:get-sbom-subset INPUT|I=<sbom_file_path> OUTPUT|O=<subset_file_path> [GREP|G=<subset_to_extract>]

Arguments	Description
`INPUT \| I`	SBOM file in syft table format (required)
`OUTPUT \| O`	Output SBOM file path (required)
`GREP \| G`	Grep regex to select subset (optional, if not set returns all)

Requirements:

None

sbom:set-sbom-in-file

Insert an SBOM table in README file: SBOM|S=sbom-table.txt [README|R=README.md] [PATTERN|P=--SBOM-TABLE--] (*)

[SBOM] Insert an SBOM table in README file.
Usage: task sbom:set-sbom-in-file SBOM|S=<sbom_file_path> [README|R=<readme_file_path>] [PATTERN|P=<pattern_to_replace>]

Arguments	Description
-	-

README | R README file path (optional, by default README.md)
PATTERN | P Pattern to replace with the SBOM table (optional, by default --SBOM-TABLE--)

Requirements:

None