Drone plugin for generating SBOMs using anchore/syft.
- Go 97.2%
- Dockerfile 2.8%
Pierre-Olivier Mercier
e4c218d67c
All checks were successful
continuous-integration/drone/push Build is passing
|
||
|---|---|---|
| docs | ||
| plugin | ||
| .drone-manifest.yml | ||
| .drone.yml | ||
| .gitignore | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| README.md | ||
A plugin to generate SBOMs (Software Bill of Materials) using anchore/syft.
Usage
The following settings changes this plugin's behavior.
- select_catalogers (optional) comma-separated list of catalogers to use.
- output (optional) comma-separated list of output formats (e.g.
spdx-json=report.json,cyclonedx-json). - source_name (optional) name to use as the source in the SBOM.
The source version is automatically derived from DRONE_TAG if set, otherwise DRONE_COMMIT_SHA.
Below is an example .drone.yml that uses this plugin.
kind: pipeline
name: default
steps:
- name: sbom
image: nemunaire/drone-syft
pull: if-not-exists
settings:
output: spdx-json=sbom.spdx.json
source_name: my-project
Below is an example with multiple outputs and cataloger selection.
kind: pipeline
name: default
steps:
- name: sbom
image: nemunaire/drone-syft
pull: if-not-exists
settings:
select_catalogers: dpkg,rpm
output: spdx-json=sbom.spdx.json,cyclonedx-json=sbom.cdx.json
source_name: my-project
Building
Build the plugin binary:
scripts/build.sh
Build the plugin image:
docker build -t nemunaire/drone-syft -f docker/Dockerfile .
Testing
Execute the plugin from your current working directory:
docker run --rm \
-e DRONE_COMMIT_SHA=8f51ad7884c5eb69c11d260a31da7a745e6b78e2 \
-e DRONE_COMMIT_BRANCH=master \
-e DRONE_BUILD_NUMBER=43 \
-e DRONE_BUILD_STATUS=success \
-w /drone/src \
-v $(pwd):/drone/src \
nemunaire/drone-syft