sbomtargets

package
v0.81.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package sbomtargets deploys container images used as targets for SBOM scanning.

Index

Constants

View Source
const Namespace = "sbom-workloads"

Namespace is where the SBOM target workloads are deployed.

Variables

View Source
var Targets = []Target{
	{Name: "sbom-node", Image: "node:26.2.0@sha256:980c5420a7a2ddcb44037726977f2a349e5c7b64217516c7488dce4c74d71583", ShortImage: "node"},
	{Name: "sbom-golang", Image: "golang:1.26.3-alpine@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d", ShortImage: "golang"},
	{Name: "sbom-ubi9", Image: "registry.access.redhat.com/ubi9/ubi:9.8-1780376557@sha256:80b1f4c34a7eed1b03a05d12b55768f3e522eef6ec294c6fbd5fa47b6b2892ee", ShortImage: "ubi"},
	{Name: "sbom-ubi-python", Image: "registry.access.redhat.com/ubi9/python-312:9.8-1779945122@sha256:52d1ffcda3b9552934f947b7d41fb0cb66973bdc0d7e91814facadc126f68663", ShortImage: "python-312"},
	{Name: "sbom-python", Image: "python:3.14.5@sha256:250e5c97be05e1eb2272fbdbd810dfd638f9012e1e6f65c99390ad3239943a08", ShortImage: "python"},
	{Name: "sbom-ruby", Image: "ruby:3.3.4-bookworm@sha256:d4233f4242ea25346f157709bb8417c615e7478468e2699c8e86a4e1f0156de8", ShortImage: "ruby"},
}

Targets are the images scanned for SBOMs. Each is pinned by tag AND digest (repo:tag@sha256:...) so every run scans byte-identical image content, which keeps the component set (and therefore the counts) deterministic, while the tag still yields a RepoTag/image_tag in the SBOM. The pinned digest is the same one the test asserts as the expected RepoDigest; the test also cross-checks the resolved ImageID and DiffIDs, so any registry drift surfaces as a failure. They cover distinct package ecosystems:

node          - Debian (dpkg) + npm
golang-alpine - Alpine (apk, musl) + Go
ubi9          - RHEL (rpm), single-layer image
ubi9/python   - RHEL (rpm) + pip (pypi), multi-layer image
python        - Debian (dpkg) + pip (pypi)
ruby          - Debian (dpkg) + gem (rubygems)

Functions

func DockerComposeManifest

func DockerComposeManifest() docker.ComposeInlineManifest

DockerComposeManifest runs every SBOM target image as a long-lived Docker container so each image stays resident in the Docker daemon (and is marked InUse) for the Agent to scan. It is the standalone-Docker counterpart of K8sAppDefinition and uses the same Targets, so the SBOMs are identical.

`tail -f /dev/null` (not `sleep infinity`) is used as the entrypoint because it keeps the container alive on every target including the busybox-based golang:alpine image, where `sleep infinity` is unsupported.

func K8sAppDefinition

func K8sAppDefinition(e config.Env, kubeProvider *kubernetes.Provider, opts ...pulumi.ResourceOption) (*componentskube.Workload, error)

K8sAppDefinition deploys one Deployment per SBOM target. Each container is kept alive with `tail -f /dev/null` so its image stays resident in the host containerd for the Agent to scan. `sleep infinity` is not used because the busybox sleep in the golang:alpine target rejects it and crash loops the pod.

Types

type Target

type Target struct {
	// Name is the workload (deployment) name.
	Name string
	// Image is the pinned container image reference.
	Image string
	// ShortImage is the image name without registry/tag, used by tests to match SBOM payloads.
	ShortImage string
}

Target is an SBOM scanning target image.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL