Skip to content

Generate SBOM for all devcontainers #602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jayavenkatesh19 wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Generate SBOM for all devcontainers #602

jayavenkatesh19 wants to merge 8 commits into from

Conversation

@jayavenkatesh19
Copy link

@jayavenkatesh19 jayavenkatesh19 commented Oct 23, 2025
edited
Loading

Towards https://github.com/rapidsai/build-infra/issues/280.

Adds SBOMs to every image published in this repo.

For Linux images

Instead of pushing directly from the devcontainer build command, changed to build images locally. Then a follow up buildx stage is run that uses Syft to scan the local image, copies the SBOM into /sbom/sbom.json, and then pushes the image with the SBOM. Manifest publishing is left unchanged, as the action still returns per-arch digest via log grep

For windows images

After building the image, downloads the Syft windows binary based on runner architecture, scans the image and adds the SBOM via the sbom.Dockerfile and rebuilds the image with the same tag.

@jayavenkatesh19 jayavenkatesh19 changed the title [WIP] Generate SBOM for all devcontainers Generate SBOM for all devcontainers Oct 28, 2025
@jayavenkatesh19 jayavenkatesh19 marked this pull request as ready for review October 28, 2025 21:50
@jayavenkatesh19 jayavenkatesh19 requested a review from a team as a code owner October 28, 2025 21:50
@jayavenkatesh19 jayavenkatesh19 requested review from bdice and removed request for a team October 28, 2025 21:50
@jayavenkatesh19 jayavenkatesh19 mentioned this pull request Dec 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bdice bdice Awaiting requested review from bdice bdice is a code owner automatically assigned from rapidsai/packaging-codeowners

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jayavenkatesh19