Skip to content

Automate SBOM generation for all CI images #309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Automate SBOM generation for all CI images #309

wants to merge 8 commits into from

Conversation

@jayavenkatesh19
Copy link
Contributor

@jayavenkatesh19 jayavenkatesh19 commented Oct 2, 2025
edited
Loading

Towards https://github.com/rapidsai/build-infra/issues/280

Current Approach

PR builds

  • Image built and published on rapidsai/staging on Dockerhub
  • Image tag is prepended with PR number gathered from GITHUB_REF
    Branch push
  • Image built and published to rapidsai/<image_repo> on Dockerhub
  • Image tag gathered from compute matrix is used.

Proposed changes using the multi-stage build approach

  • Add a new stage in each Dockerfile called syft-base with the Syft binary installed on a minimal alpine 3.20 image.
  • The main docker build is done using a stage called <ci-img>-base to differentiate it from the final image.
  • Another stage is added called <ci-img>-sbom where the built stage is mounted to a specified location on the syft-base stage
  • A syft-scan is done on the mounted location, and an SBOM is generated.
  • The generated SBOM is then copied to the final stage, with image name and tags kept unchanged to ensure no changes to how these images are built and published.

@jayavenkatesh19
added SBOM generation step
16b650d 
Signed-off-by: Jaya Venkatesh <[email protected]>
@jayavenkatesh19 jayavenkatesh19 self-assigned this Oct 2, 2025
@jayavenkatesh19 jayavenkatesh19 marked this pull request as ready for review October 20, 2025 23:53
@jayavenkatesh19 jayavenkatesh19 requested a review from a team as a code owner October 20, 2025 23:53
@jayavenkatesh19 jayavenkatesh19 requested review from msarahan and removed request for a team October 20, 2025 23:53
@jayavenkatesh19 jayavenkatesh19 changed the title [WIP] Automate SBOM generation for all CI images Automate SBOM generation for all CI images Oct 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msarahan msarahan Awaiting requested review from msarahan msarahan is a code owner automatically assigned from rapidsai/ci-codeowners

At least 1 approving review is required to merge this pull request.

Assignees

@jayavenkatesh19 jayavenkatesh19

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jayavenkatesh19