sbom

package
v0.0.0-...-e601d7c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 20, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package sbom provides Software Bill of Materials (SBOM) generation and attestation functionality

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AllFormatStrings 

func AllFormatStrings() []string

AllFormatStrings returns all supported SBOM format strings

func CheckInstalled 

func CheckInstalled(ctx context.Context) error

CheckInstalled checks if Syft is installed

func CheckVersion 

func CheckVersion(ctx context.Context, minVersion string) error

CheckVersion checks if Syft version meets minimum requirements

func ValidateFormat 

func ValidateFormat(s string) error

ValidateFormat validates a format string

Types

type Attacher 

type Attacher struct {
	// SigningConfig for attestation signing
	SigningConfig *signing.Config

	// Timeout for cosign commands
	Timeout time.Duration
}

Attacher handles SBOM attestation attachment to container images

func NewAttacher 

func NewAttacher(signingConfig *signing.Config) *Attacher

NewAttacher creates a new Attacher

func (*Attacher) Attach 

func (a *Attacher) Attach(ctx context.Context, sbom *SBOM, image string) error

Attach attaches an SBOM as a signed attestation to an image

func (*Attacher) Verify 

func (a *Attacher) Verify(ctx context.Context, image string, format Format) (*SBOM, error)

Verify verifies an SBOM attestation

type Config 

type Config struct {
	// Enabled indicates if SBOM generation is enabled
	Enabled bool `json:"enabled" yaml:"enabled"`

	// Format specifies the SBOM format (cyclonedx-json, spdx-json, etc.)
	Format Format `json:"format,omitempty" yaml:"format,omitempty"`

	// Generator specifies the tool to use (only "syft" supported currently)
	Generator string `json:"generator,omitempty" yaml:"generator,omitempty"`

	// Output specifies where to save the SBOM
	Output *OutputConfig `json:"output,omitempty" yaml:"output,omitempty"`

	// Attach indicates if SBOM should be attached as attestation
	Attach bool `json:"attach,omitempty" yaml:"attach,omitempty"`

	// Required indicates if SBOM generation failure should fail the build
	Required bool `json:"required,omitempty" yaml:"required,omitempty"`

	// CacheEnabled indicates if caching should be used
	CacheEnabled bool `json:"cacheEnabled,omitempty" yaml:"cacheEnabled,omitempty"`
}

Config represents SBOM generation configuration

func DefaultConfig 

func DefaultConfig() *Config

DefaultConfig returns the default SBOM configuration

func (*Config) IsRequired 

func (c *Config) IsRequired() bool

IsRequired returns true if SBOM generation is required (fail-closed)

func (*Config) ShouldAttach 

func (c *Config) ShouldAttach() bool

ShouldAttach returns true if SBOM should be attached as attestation

func (*Config) ShouldCache 

func (c *Config) ShouldCache() bool

ShouldCache returns true if caching should be used

func (*Config) ShouldSaveLocal 

func (c *Config) ShouldSaveLocal() bool

ShouldSaveLocal returns true if SBOM should be saved locally

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the SBOM configuration

type Format 

type Format string

Format represents an SBOM format 

const (
	// FormatCycloneDXJSON is the CycloneDX JSON format (default)
	FormatCycloneDXJSON Format = "cyclonedx-json"
	// FormatCycloneDXXML is the CycloneDX XML format
	FormatCycloneDXXML Format = "cyclonedx-xml"
	// FormatSPDXJSON is the SPDX JSON format
	FormatSPDXJSON Format = "spdx-json"
	// FormatSPDXTagValue is the SPDX tag-value format
	FormatSPDXTagValue Format = "spdx-tag-value"
	// FormatSyftJSON is the Syft native JSON format
	FormatSyftJSON Format = "syft-json"
)

func AllFormats 

func AllFormats() []Format

AllFormats returns all supported SBOM formats

func ParseFormat 

func ParseFormat(s string) (Format, error)

ParseFormat parses a format string

func (Format) AttestationType 

func (f Format) AttestationType() string

AttestationType returns the attestation type for cosign

func (Format) IsCycloneDX 

func (f Format) IsCycloneDX() bool

IsCycloneDX checks if the format is CycloneDX

func (Format) IsSPDX 

func (f Format) IsSPDX() bool

IsSPDX checks if the format is SPDX

func (Format) IsValid 

func (f Format) IsValid() bool

IsValid checks if the format is valid

func (Format) PredicateType 

func (f Format) PredicateType() string

PredicateType returns the predicate type for cosign attestation

func (Format) String 

func (f Format) String() string

String returns the string representation of the format

type Generator 

type Generator interface {
	// Generate generates an SBOM for the given image
	Generate(ctx context.Context, image string, format Format) (*SBOM, error)

	// SupportsFormat checks if the generator supports the given format
	SupportsFormat(format Format) bool

	// Version returns the version of the generator tool
	Version(ctx context.Context) (string, error)
}

Generator is the interface for SBOM generators

type Metadata 

type Metadata struct {
	// ToolName is the name of the tool used to generate the SBOM
	ToolName string `json:"toolName"`

	// ToolVersion is the version of the tool
	ToolVersion string `json:"toolVersion"`

	// PackageCount is the number of packages found
	PackageCount int `json:"packageCount"`
}

Metadata contains SBOM generation metadata

type OutputConfig 

type OutputConfig struct {
	// Local file path to save SBOM
	Local string `json:"local,omitempty" yaml:"local,omitempty"`

	// Registry indicates if SBOM should be pushed to registry as attestation
	Registry bool `json:"registry,omitempty" yaml:"registry,omitempty"`
}

OutputConfig specifies SBOM output configuration

type SBOM 

type SBOM struct {
	// Format is the SBOM format
	Format Format `json:"format"`

	// Content is the raw SBOM content
	Content []byte `json:"content"`

	// Digest is the SHA256 hash of the SBOM content
	Digest string `json:"digest"`

	// ImageDigest is the digest of the image this SBOM was generated for
	ImageDigest string `json:"imageDigest"`

	// GeneratedAt is when the SBOM was generated
	GeneratedAt time.Time `json:"generatedAt"`

	// Metadata contains information about the generation
	Metadata *Metadata `json:"metadata"`
}

SBOM represents a Software Bill of Materials

func NewSBOM 

func NewSBOM(format Format, content []byte, imageDigest string, metadata *Metadata) *SBOM

NewSBOM creates a new SBOM

func (*SBOM) Size 

func (s *SBOM) Size() int

Size returns the size of the SBOM content in bytes

func (*SBOM) ValidateDigest 

func (s *SBOM) ValidateDigest() bool

ValidateDigest validates the SBOM content against its digest

type SyftGenerator 

type SyftGenerator struct {
	// Timeout for syft commands (default: 5 minutes for large images)
	Timeout time.Duration
}

SyftGenerator implements SBOM generation using Syft

func NewSyftGenerator 

func NewSyftGenerator() *SyftGenerator

NewSyftGenerator creates a new SyftGenerator

func (*SyftGenerator) Generate 

func (g *SyftGenerator) Generate(ctx context.Context, image string, format Format) (*SBOM, error)

Generate generates an SBOM using Syft

func (*SyftGenerator) SupportsFormat 

func (g *SyftGenerator) SupportsFormat(format Format) bool

SupportsFormat checks if Syft supports the given format

func (*SyftGenerator) Version 

func (g *SyftGenerator) Version(ctx context.Context) (string, error)

Version returns the version of Syft

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.