feat: SBOM + vulnerability scans#562
Merged
Merged
Conversation
Contributor
|
KICS version: v2.1.16
|
0d30292 to
0b32a31
Compare
bce560f to
734a824
Compare
mladen-shielded
approved these changes
Jan 30, 2026
5a90b5f to
da90de5
Compare
gilescope
requested changes
Feb 4, 2026
gilescope
left a comment
Contributor
There was a problem hiding this comment.
Can you tweak the Earthfile to:
cargo install cargo-auditable
cargo auditable build --release
That way the sbom process will be able to pick up the bill of materials embedded in the rust binaries. Without that I would think the bill was not comprehensive.
added 10 commits
February 4, 2026 16:59
The sign-image.sh script was only signing the first platform when given a multi-arch manifest (using .[0] instead of .[]). This resulted in only amd64 being signed while arm64 was missed. Changes: - sign-image.sh now iterates through all platform digests - Removed redundant arch-specific signing from release workflow since multi-arch signing now covers all platforms
GHCR only has arch-specific tags with the commit tag (e.g., 0.20.1-dev-abc12345-amd64). The release tag only exists as a multi-arch manifest. Docker Hub has arch-specific release tags since they're created manually in the workflow.
- Upgrade Node.js from 22.13.1 to 22.22.0 in all Earthfile targets to fix CVE-2025-55130 (filesystem permissions bypass via symlinks) - Add .grype.yaml to temporarily ignore GHSA-7h2j-956f-4vf2 (brace-expansion DoS) until npm releases a patched version - Update sbom-scan workflow to include .grype.yaml in sparse checkout - Add renovate comments for automated Node.js version updates
Use cargo-auditable to embed dependency metadata in release binaries, enabling Syft/Grype to detect all 1600+ Rust crate dependencies in vulnerability scans.
c83e2df to
e3772b9
Compare
Contributor
Author
good spot, can you re-review pls. |
ozgb
requested changes
Feb 5, 2026
ozgb
left a comment
Contributor
There was a problem hiding this comment.
Blocking until we get the 0.21.0 release out - the security issues in our current node/toolkit images will create a block if we merge this PR
ozgb
approved these changes
Feb 5, 2026
ozgb
left a comment
Contributor
There was a problem hiding this comment.
With the threshold set to Critical, LGTM
14 tasks
gilescope
approved these changes
Feb 5, 2026
14 tasks
gilescope
pushed a commit
that referenced
this pull request
Apr 8, 2026
changed: - post-merge CI action excludes native token tests because they're skipped (were executed earlier) and that was causing job to fail (we expect no skipped tests on last run
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
changed: - post-merge CI action excludes native token tests because they're skipped (were executed earlier) and that was causing job to fail (we expect no skipped tests on last run Signed-off-by: Mike Clay <mike.clay@shielded.io>
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
changed: - post-merge CI action excludes native token tests because they're skipped (were executed earlier) and that was causing job to fail (we expect no skipped tests on last run Signed-off-by: Mike Clay <mike.clay@shielded.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://shielded.atlassian.net/browse/SRE-1741
Overview
Add SBOM (Software Bill of Materials) generation and vulnerability scanning to CI/CD pipelines. This implements Phase 3 of the container security initiative, building on the Cosign image signing from Phase 1.
What this adds:
Key design decisions:
critical(fails on critical CVEs only)🗹 TODO before merging
📌 Submission Checklist
🧪 Testing Evidence
Please describe any additional testing aside from CI:
Local testing of
sbom-scan.shfunctions against test imagesVerified Cosign attestation verification commands work locally
Additional tests are provided (if possible)
🔱 Fork Strategy
Links