{"id":18941486,"url":"https://github.com/mchmarny/sbominator","last_synced_at":"2026-03-23T21:30:16.977Z","repository":{"id":77051950,"uuid":"570282378","full_name":"mchmarny/sbominator","owner":"mchmarny","description":"Custom Google Cloud Build step to crate a Software Bill of Materials (SBOM) and Binary Authorization attestation.","archived":false,"fork":false,"pushed_at":"2023-04-20T22:28:43.000Z","size":1185,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-31T22:42:57.926Z","etag":null,"topics":["build","cloudbuild","cosign","docker","pipeline","sbom","snyk"],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mchmarny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-24T19:31:28.000Z","updated_at":"2023-05-10T19:34:57.000Z","dependencies_parsed_at":null,"dependency_job_id":"3e3c19fb-473b-427a-b477-94ef0da2b059","html_url":"https://github.com/mchmarny/sbominator","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fsbominator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fsbominator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fsbominator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fsbominator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mchmarny","download_url":"https://codeload.github.com/mchmarny/sbominator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239942660,"owners_count":19722328,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["build","cloudbuild","cosign","docker","pipeline","sbom","snyk"],"created_at":"2024-11-08T12:28:15.572Z","updated_at":"2026-03-23T21:30:16.897Z","avatar_url":"https://github.com/mchmarny.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sbominator\n\nCustom build step for generating [Software Bill of Materials](https://www.cisa.gov/sbom) (SBOM) for a container image. When added to your [Google Cloud Build](https://cloud.google.com/build) pipeline, it will:\n\n* Sign an image using [KMS](https://cloud.google.com/security-key-management) key based on its digest\n* Create SBOM attestation ([JSON SPDX format](https://github.com/spdx/spdx-spec/blob/v2.2/schemas/spdx-schema.json)) \n* (Optional) Create [Binary Authorization](https://cloud.google.com/binary-authorization) attestation for a given attestor, and signs it with KMS key\n\n![](images/reg.png)\n\n## Setup \n\nFirst, enable the required APIs:\n\n```shell\ngcloud services enable \\\n  artifactregistry.googleapis.com \\\n  binaryauthorization.googleapis.com \\\n  cloudkms.googleapis.com \\\n  container.googleapis.com \\\n  containerregistry.googleapis.com \\\n  containersecurity.googleapis.com\n```\n\n### Cloud Build\n\nTo use this build step, the Cloud Build service account needs the following IAM roles:\n\n* Binary Authorization Attestor Viewer: `roles/binaryauthorization.attestorsViewer`\n* Cloud KMS CryptoKey Decrypter: `roles/cloudkms.cryptoKeyDecrypter`\n* Cloud KMS CryptoKey Signer/Verifier: `roles/cloudkms.signerVerifier`\n* Container Analysis Notes Attacher: `roles/containeranalysis.notes.attacher`\n\nTo ensure that the Cloud Build service account in your project has these roles:\n\n```shell\nexport PROJECT_ID=\"\u003cyour project id\u003e\"\n\ngcloud config set project $PROJECT_ID\n\nexport  PROJECT_NUMBER=$(gcloud projects list \\\n  --filter=\"$PROJECT_ID\" \\\n  --format=\"value(PROJECT_NUMBER)\")\n\nexport BUILD_SA=\"serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com\"\n\ngcloud projects add-iam-policy-binding $PROJECT_ID \\\n  --member $BUILD_SA \\\n  --role roles/binaryauthorization.attestorsViewer\n\ngcloud projects add-iam-policy-binding $PROJECT_ID \\\n  --member $BUILD_SA \\\n  --role roles/cloudkms.cryptoKeyDecrypter\n\ngcloud projects add-iam-policy-binding $PROJECT_ID \\\n  --member $BUILD_SA \\\n  --role roles/cloudkms.signerVerifier\n\ngcloud projects add-iam-policy-binding $PROJECT_ID \\\n  --member $BUILD_SA \\\n  --role roles/containeranalysis.notes.attacher\n```\n\n### KMS \n\nCreate a key ring and a key for asymmetric signing using:\n\n\u003e details: https://cloud.google.com/kms/docs/creating-asymmetric-keys\n\n```shell\n# replace if you want to deploy to a different location\nexport REGION=\"us-us-west1\" \nexport NAME=\"sbominator\"\nexport KEY=\"${KEY_RING}-signer\"\n\ngcloud kms keyrings create $NAME \\\n  --project $PROJECT_ID \\\n  --location $REGION\n\ngcloud kms keys create $KEY \\\n  --project $PROJECT_ID  \\\n  --location $REGION \\\n  --keyring $NAME \\\n  --purpose asymmetric-signing \\\n  --default-algorithm rsa-sign-pkcs1-4096-sha512\n```\n\n### Binary Authorization\n\nCreate attestation note:\n\n```shell\ncurl \"https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/?noteId=${NAME}-note\" \\\n  --request \"POST\" \\\n  --header \"Content-Type: application/json\" \\\n  --header \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n  --header \"X-Goog-User-Project: ${PROJECT_ID})\" \\\n  --data-binary @- \u003c\u003cEOF\n    {\n      \"name\": \"projects/${PROJECT_ID}/notes/${NAME}-note\",\n      \"attestation\": {\n        \"hint\": {\n          \"human_readable_name\": \"${NAME} note\"\n        }\n      }\n    }\nEOF\n```\n\nAdd the asymmetric signing key to the Attestor:\n\n\u003e details: https://cloud.google.com/sdk/gcloud/reference/alpha/container/binauthz/attestors/public-keys/add\n\n\n```shell\ngcloud container binauthz attestors create $NAME \\\n--project $PROJECT_ID \\\n--attestation-authority-note-project $PROJECT_ID \\\n--attestation-authority-note \"${NAME}-note\" \\\n--description \"${NAME} attestor\"\n\ngcloud beta container binauthz attestors public-keys add \\\n--project $PROJECT_ID \\\n--attestor $NAME \\\n--keyversion \"1\" \\\n--keyversion-key $KEY \\\n--keyversion-keyring $NAME \\\n--keyversion-location $REGION \\\n--keyversion-project $PROJECT_ID\n```\n\n### Cloud Build config\n\nPrint the variables, and add them to substitutions in your `cloudbuild.yaml`:\n\n\u003e see [example/cloudbuild.yaml](example/cloudbuild.yaml) for example\n\n```shell\necho \"\n_KMS_KEY: projects/${PROJECT_ID}/locations/${REGION}/keyRings/${NAME}/cryptoKeys/${KEY}/cryptoKeyVersions/1\n_BIN_AUTHZ_ID: projects/${PROJECT_ID}/attestors/${NAME}\n\"\n```\n\n\n## Usage\n\nWhen signing images it's best to do it based on image digest (not image tag). When publishing the image to GCP Artifact Registry, you should also extracted the digest of the newly published image. To enable other steps in the pipeline to access that digest, write it to a temporary file like this:\n\n```shell\ndocker image inspect $IMAGE_TAG --format '{{index .RepoDigests 0}}' \u003e image-digest.txt\n```\n\nTo add the SBOM generation to your pipeline, add the following step to your pipeline, anywhere after the image is published and the digest is written to file:\n\n```yaml\n- id: sbom\n  name: us-docker.pkg.dev/cloudy-tools/builders/sbominator@sha256:d863f7bdf10e63f9f43298e73aad5886b87245827497b8333c038d6c1d2bdc58\n  entrypoint: /bin/bash\n  env:\n  - PROJECT=$PROJECT_ID\n  - KEY=$_KMS_KEY\n  - COMMIT=$COMMIT_SHA\n  - VERSION=$TAG_NAME\n  - ATTESTOR=$_BIN_AUTHZ_ID # optional - to add binary attestation\n  args:\n  - -c\n  - |\n    builder $(/bin/cat image-digest.txt)\n```\n\n\u003e Both `COMMIT` sha `VERSION` tag are automatically included variables for for tag-triggered pipelines: \n\nA complete pipeline with all the steps in below image is available in the [example folder](example/cloudbuild.yaml).\n\n![](images/build.png)\n\n## Technology \n\nThis builder uses following open source projects:\n\n* [cosign](https://github.com/sigstore/cosign) for signing\n* [syft](https://github.com/anchore/syft) for SBOM generation \n\nAdditionally, this builder users Google Cloud CLI ([gcloud](https://cloud.google.com/sdk/gcloud)) for environment configuration.\n\n## Disclaimer\n\nThis is my personal project and it does not represent my employer. While I do my best to ensure that everything works, I take no responsibility for issues caused by this code.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchmarny%2Fsbominator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmchmarny%2Fsbominator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchmarny%2Fsbominator/lists"}