{"id":18941437,"url":"https://github.com/mchmarny/artomator","last_synced_at":"2026-03-23T21:30:18.580Z","repository":{"id":64589373,"uuid":"576033783","full_name":"mchmarny/artomator","owner":"mchmarny","description":"Automates creation of Software Bill of Materials (SBOM) with Binary Authorization attestation for container images in Artifact Registry.","archived":false,"fork":false,"pushed_at":"2023-09-08T19:42:02.000Z","size":77448,"stargazers_count":3,"open_issues_count":9,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-31T22:42:51.336Z","etag":null,"topics":["artifact","authorization","devops","gcp","google-cloud-platform","pubsub","registry","sbom"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mchmarny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-12-08T21:24:11.000Z","updated_at":"2024-12-03T20:10:58.000Z","dependencies_parsed_at":"2024-06-20T17:41:24.375Z","dependency_job_id":null,"html_url":"https://github.com/mchmarny/artomator","commit_stats":null,"previous_names":[],"tags_count":107,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fartomator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fartomator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fartomator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fartomator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mchmarny","download_url":"https://codeload.github.com/mchmarny/artomator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239942595,"owners_count":19722328,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifact","authorization","devops","gcp","google-cloud-platform","pubsub","registry","sbom"],"created_at":"2024-11-08T12:28:03.678Z","updated_at":"2026-03-23T21:30:16.500Z","avatar_url":"https://github.com/mchmarny.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# artomator\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/mchmarny/artomator)](https://goreportcard.com/report/github.com/mchmarny/artomator) ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/mchmarny/artomator) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/gojp/goreportcard/blob/master/LICENSE)\n\n\n`artomator` (aka Artifact Registry Automator) automates the creation of [Software Bill of Materials (SBOM)](https://www.cisa.gov/sbom) with Binary Authorization attestation for container images in [Artifact Registry (AR)](https://cloud.google.com/artifact-registry). `artomator` will automatically add SBOM attestations to any image pushed to registry with the `artomator-sbom` [label](https://docs.docker.com/config/labels-custom-metadata/).\n\n```shell\ndocker build -t $TAG --label artomator-sbom=spdx .\n```\n\n The value of the label dictates SBOM format. The two supported formats are `cyclonedx` and `spdx`). `artomator` also creates [Binary Authorization](https://cloud.google.com/binary-authorization) attestation to support project or cluster levels policies.\n\n![](images/flow.png)\n\n## how it works\n\n1. Whenever an image is published to the Artifact Registry \n2. A [registry event](https://cloud.google.com/artifact-registry/docs/configure-notifications) is automatically published onto [PubSub](https://cloud.google.com/pubsub/docs/overview) topic named `gcr`\n3. PubSub subscription pushes that event to `artomator` service in [Cloud Run](https://cloud.google.com/run) with operation type and the image digest\n4. If the operation type is `INSERT`, the `artomator` service retrieves metadata for that image from registry and check its labels\n5. If the image includes `artomator-sbom` label, the service signs that image using KMS key\n6. And creates new attestation based on the type of the label to the image in the registry (e.g. `spdx`)\n7. If [GCS bucket](https://cloud.google.com/storage) is configured, `artomator` will also save the generated artifacts to that bucket\n8. On successful completion, `artomator` also creates Binary Authorization attestation using `artomator-attestor` with associated KMS key\n9. Finally `artomator` also stores the processed image digests in a [Redis store](https://cloud.google.com/memorystore) to avoid re-processing the same image again\n\n\u003e Technically, adding attestation to an image creates yet another event, and could cause recursion. To prevent this and to allow `artomator` to scale to multiple instances the Redis-based cache is used which caches the processed digests for 72 hrs.\n\nTo processes images, `artomator` uses a few open source projects:\n\n* [cosign](https://github.com/sigstore/cosign) for image signing and verification\n* [syft](https://github.com/anchore/syft) for SBOM generation \n* [trivy](https://github.com/aquasecurity/trivy) for vulnerability scans \n* [jq](https://stedolan.github.io/jq/) for JSON operations \n\n## artifacts \n\nIn addition to attaching attestations to image in Artifact Registry and the Binary Authorization note, `artomator` also saves all the generated reports in GCS bucket (for example [sbom.json](tests/sbom.json)). To make these names predictable, `artomator` prefixes them with the image SHA. For example, if the image digest is:\n\n```shell\nus-west1-docker.pkg.dev/s3cme1/artomator/tester@sha256:acaccb6c8f975ee7df7f46468fae28fb5014cf02c2835d2dc37bf6961e648838\n```\n\nthen the list of artifacts in the registry for that image will be: \n\n* acaccb6c8f975ee7df7f46468fae28fb5014cf02c2835d2dc37bf6961e648838-sbom.json\n* acaccb6c8f975ee7df7f46468fae28fb5014cf02c2835d2dc37bf6961e648838-meta.json\n\nwhere:\n\n* `-sbom.json` is SPDX 2.3 formatted SBOM file\n* `-meta.json` is the image metadata in the registry as it was when the image was processed\n\n## deployment \n\nThe prerequisites to deploy `artomator` include: \n\n* [Terraform CLI](https://www.terraform.io/downloads)\n* [GCP Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects)\n* [gcloud CLI](https://cloud.google.com/sdk/gcloud)\n  \nTo deploy the prebuilt `artomator`, first clone this repo:\n\n```shell\ngit clone git@github.com:mchmarny/artomator.git\n```\n\nThen navigate to the `deployment` directory inside of that cloned repo:\n\n```shell\ncd artomator/deployment\n```\n\nNext, authenticate to GCP:\n\n```shell\ngcloud auth application-default login\n```\n\nInitialize Terraform: \n\n```shell\nterraform init\n```\n\n\u003e Note, this flow uses the default, local terraform state. Make sure you do not check the state files into your source control (see `.gitignore`), or consider using persistent state provider like GCS.\n\n\nWhen done, apply the Terraform configuration:\n\n```shell\nterraform apply\n```\n\nWhen promoted, provide requested variables:\n\n* `project_id` is the GCP project ID (not the name)\n* `location` is GCP region to deploy to\n\nWhen completed, this will output the configured resource information. \n\n## test deployment\n\nTo test the deployed `artomator`, use any valid Dockerfile you already have:\n\n```shell\ndocker build -t $TEST_IMAGE_TAG --label artomator-sbom=spdx .\ndocker push $TEST_IMAGE_TAG\n```\n\n## cleanup\n\nTo clean all the resources provisioned by this setup run: \n\n```shell\nterraform destroy\n```\n\n\u003e Note, this does not remove the created KMS resources.\n\n## disclaimer\n\nThis is my personal project and it does not represent my employer. While I do my best to ensure that everything works, I take no responsibility for issues caused by this code.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchmarny%2Fartomator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmchmarny%2Fartomator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchmarny%2Fartomator/lists"}