fix: Add SBOM attestation to Docker build

- Added `--attest type=sbom` flag to the `docker buildx build` command in the Dockerfile. - This flag enables SBOM (Software Bill of Materials) attestation during the Docker build process. - The SBOM attestation helps to track and manage the dependencies and components used in the Docker image, ensuring compliance and security.

fix: Add SBOM attestation to Docker build
f509b7cf · Andrew Newdigate · 4f9af796 · f509b7cf · f509b7cf
Unverified Commit f509b7cf authored 3 months ago by Andrew Newdigate
--- a/docker.md
+++ b/docker.md
@@ -114,7 +114,7 @@ often slower than a rebuild if the main cache  is relatively warm.
  
 For that reason, writing docker builds to the branch cache is disabled by default.
  
-It can be enabled using the `~docker-write-branch-cache` label on your MR,
+It can be enabled using the ~docker-write-branch-cache label on your MR,
 or adding by the `DOCKER_WRITE_BRANCH_CACHE="1"` variable.
  
 If you're finding that Docker builds on a branch are slow and could benefit from writing the cache,
@@ -126,6 +126,41 @@ while avoiding the costly cache write at the end of each docker build job.
  
 Note that Docker builds will attempt to read the branch cache even when branch cache writing is disabled.
  
+### SBOM Attestation
+
+By default, tag and default branch images will have SBOM attestations attached using the Docker SBOM
+attestation feature: <https://docs.docker.com/build/metadata/attestations/sbom/>.
+
+This behaviour can be modified:
+
+1. Add the ~docker-attest-sbom label to an MR to write attestations for docker images produced on the branch,
+   or set `DOCKER_ATTEST_SBOM="1"`.
+2. To disable SBOM attestations, set `DOCKER_NO_ATTEST_SBOM="1"`.
+
+#### Listing the Software Bill of Materials in a Docker Image
+
+To list all packages in a Docker image, the Docker documentation provides example usage, for example:
+
+```console
+$ # list all packages in a Docker container
+$ docker buildx imagetools inspect <image> \
+    --format "{{ range .SBOM.SPDX.packages }}{{ .name }}@{{ .versionInfo }}{{ println }}{{ end }}"
+alpine-baselayout@3.6.5-r0
+alpine-baselayout-data@3.6.5-r0
+alpine-keys@2.4-r1
+apk-tools@2.14.4-r0
+busybox@1.36.1-r29
+busybox-binsh@1.36.1-r29
+ca-certificates-bundle@20240705-r0
+libcrypto3@3.3.2-r0
+libssl3@3.3.2-r0
+musl@1.2.5-r0
+musl-utils@1.2.5-r0
+scanelf@1.3.7-r2
+ssl_client@1.36.1-r29
+zlib@1.3.1-r1
+```
+
 ### Chainguard
  
 If your project uses [Chainguard](https://console.chainguard.dev/overview) images,

--- a/docker.yml
+++ b/docker.yml
@@ -130,7 +130,20 @@ include:
          echo "https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/docker.md#branch-write-caching"
          echo "----------------------------------------------------------------------------------------------------"
        fi
+      fi
+
+      # By default we skip attestation on branches to speed up the docker build
+      if [[ $CI_MERGE_REQUEST_LABELS =~ /docker-attest-sbom/ ]] ||
+        [[ $DOCKER_ATTEST_SBOM == "1" ]] ||
+        [[ -n ${CI_COMMIT_TAG:-} ]] ||
+        [[ $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH ]]; then
+        attestation_args="--attest type=sbom"
+      else
+        attestation_args=""
+      fi
  
+      if [[ $DOCKER_NO_ATTEST_SBOM == "1" ]]; then
+        attestation_args=""
      fi
  
      set -x
@@ -138,6 +151,7 @@ include:
        -f "${DOCKER_BUILD_FILE}" \
        $docker_version_build_args \
        $docker_cache_args \
+        $attestation_args \
        --iidfile "$CI_PROJECT_DIR/.docker-imageid" \
        --tag "${DOCKER_DESTINATION}" \
        --push \