Documentation
¶
Overview ¶
Package sbomtargets deploys container images used as targets for SBOM scanning.
Index ¶
Constants ¶
const Namespace = "sbom-workloads"
Namespace is where the SBOM target workloads are deployed.
Variables ¶
var Targets = []Target{
{Name: "sbom-node", Image: "node:26.2.0@sha256:980c5420a7a2ddcb44037726977f2a349e5c7b64217516c7488dce4c74d71583", ShortImage: "node"},
{Name: "sbom-golang", Image: "golang:1.26.3-alpine@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d", ShortImage: "golang"},
{Name: "sbom-ubi9", Image: "registry.access.redhat.com/ubi9/ubi:9.8-1780376557@sha256:80b1f4c34a7eed1b03a05d12b55768f3e522eef6ec294c6fbd5fa47b6b2892ee", ShortImage: "ubi"},
{Name: "sbom-ubi-python", Image: "registry.access.redhat.com/ubi9/python-312:9.8-1779945122@sha256:52d1ffcda3b9552934f947b7d41fb0cb66973bdc0d7e91814facadc126f68663", ShortImage: "python-312"},
{Name: "sbom-python", Image: "python:3.14.5@sha256:250e5c97be05e1eb2272fbdbd810dfd638f9012e1e6f65c99390ad3239943a08", ShortImage: "python"},
{Name: "sbom-ruby", Image: "ruby:3.3.4-bookworm@sha256:d4233f4242ea25346f157709bb8417c615e7478468e2699c8e86a4e1f0156de8", ShortImage: "ruby"},
}
Targets are the images scanned for SBOMs. Each is pinned by tag AND digest (repo:tag@sha256:...) so every run scans byte-identical image content, which keeps the component set (and therefore the counts) deterministic, while the tag still yields a RepoTag/image_tag in the SBOM. The pinned digest is the same one the test asserts as the expected RepoDigest; the test also cross-checks the resolved ImageID and DiffIDs, so any registry drift surfaces as a failure. They cover distinct package ecosystems:
node - Debian (dpkg) + npm golang-alpine - Alpine (apk, musl) + Go ubi9 - RHEL (rpm), single-layer image ubi9/python - RHEL (rpm) + pip (pypi), multi-layer image python - Debian (dpkg) + pip (pypi) ruby - Debian (dpkg) + gem (rubygems)
Functions ¶
func DockerComposeManifest ¶
func DockerComposeManifest() docker.ComposeInlineManifest
DockerComposeManifest runs every SBOM target image as a long-lived Docker container so each image stays resident in the Docker daemon (and is marked InUse) for the Agent to scan. It is the standalone-Docker counterpart of K8sAppDefinition and uses the same Targets, so the SBOMs are identical.
`tail -f /dev/null` (not `sleep infinity`) is used as the entrypoint because it keeps the container alive on every target including the busybox-based golang:alpine image, where `sleep infinity` is unsupported.
func K8sAppDefinition ¶
func K8sAppDefinition(e config.Env, kubeProvider *kubernetes.Provider, opts ...pulumi.ResourceOption) (*componentskube.Workload, error)
K8sAppDefinition deploys one Deployment per SBOM target. Each container is kept alive with `tail -f /dev/null` so its image stays resident in the host containerd for the Agent to scan. `sleep infinity` is not used because the busybox sleep in the golang:alpine target rejects it and crash loops the pod.
Types ¶
type Target ¶
type Target struct {
// Name is the workload (deployment) name.
Name string
// Image is the pinned container image reference.
Image string
// ShortImage is the image name without registry/tag, used by tests to match SBOM payloads.
ShortImage string
}
Target is an SBOM scanning target image.