feat: add supply chain security

Signed-off-by: osamamagdy <[email protected]>
jenkins-x-plugins · Sep 7, 2022 · 12f5eec · 12f5eec
1 parent 987208b
commit 12f5eec
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,15 @@ build/
 .DS_Store
 coverage.out
 /strategy
+
+# syft
+bin/syft
+
+# image tar files
+image.tar
+
+# docker credential binaries
+docker-credential-*
+
+# sbom json created by syft
+sbom.json
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -70,4 +70,9 @@ release:
 
   # You can change the name of the GitHub release.
   # Default is `{{.Tag}}`
-  name_template: "{{.Env.VERSION}}"
+  name_template: "{{.Env.VERSION}}"
+
+
+sboms:
+  - artifacts: archive
+
diff --git a/.lighthouse/jenkins-x/lint.yaml b/.lighthouse/jenkins-x/lint.yaml
@@ -0,0 +1,27 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  creationTimestamp: null
+  name: lint
+spec:
+  pipelineSpec:
+    tasks:
+    - name: jx-pipeline-lint
+      resources: {}
+      taskSpec:
+        metadata: {}
+        stepTemplate:
+          image: uses:jenkins-x/jx3-pipeline-catalog/tasks/go/pullrequest.yaml@versionStream
+          name: ""
+          resources: {}
+          workingDir: /workspace/source
+        steps:
+        - image: uses:jenkins-x/jx3-pipeline-catalog/tasks/git-clone/git-clone-pr.yaml@versionStream
+          name: ""
+          resources: {}
+        - name: make-lint
+          resources: {}
+  podTemplate: {}
+  serviceAccountName: tekton-bot
+  timeout: 30m0s
+status: {}
diff --git a/.lighthouse/jenkins-x/release.yaml b/.lighthouse/jenkins-x/release.yaml
@@ -25,8 +25,10 @@ spec:
           resources: {}
         - name: release-binary
           resources: {}
-        - name: build-and-push-image
-          resources: {}
+        - image: uses:jenkins-x/jx3-pipeline-catalog/tasks/build-scan-push/build-scan-push.yaml@versionStream
+          name: build-container
+        - image: uses:jenkins-x/jx3-pipeline-catalog/tasks/build-scan-push/build-scan-push.yaml@versionStream
+          name: push-container
         - name: chart-docs
           resources: {}
         - image: ghcr.io/jenkins-x/jx-boot:3.2.197
@@ -38,6 +40,17 @@ spec:
             sed -i -e "s/jx-release-version:[0-9\.]*/jx-release-version:$VERSION/" action.yml
         - name: changelog
           resources: {}
+        - image: uses:jenkins-x/jx3-pipeline-catalog/tasks/supply-chain-security/task.yaml@versionStream
+          name: download-syft
+        - image: uses:jenkins-x/jx3-pipeline-catalog/tasks/supply-chain-security/task.yaml@versionStream
+          name: build-and-push-sbom
+          resources: {}
+        - name: cleanup-image-tar
+          image: alpine:3.16
+          resources: {}
+          script: |
+            #!/bin/sh
+            rm -f /workspace/source/image.tar
         - name: upload-binaries
           resources: {}
         - name: promote-release

diff --git a/.lighthouse/jenkins-x/triggers.yaml b/.lighthouse/jenkins-x/triggers.yaml
@@ -6,7 +6,16 @@ spec:
     context: "pr"
     always_run: true
     optional: false
+    trigger: (?m)^/test( all| pr),?(s+|$)
+    rerun_command: /test pr
     source: "pullrequest.yaml"
+  - name: lint
+    context: "lint"
+    always_run: true
+    optional: false
+    trigger: (?m)^/test( all| lint),?(s+|$)
+    rerun_command: /test lint
+    source: "lint.yaml"
   postsubmits:
   - name: release
     context: "release"