osism · berendt · Aug 18, 2024 · Aug 18, 2024
diff --git a/.zuul.yaml b/.zuul.yaml
@@ -2,6 +2,17 @@
 - secret:
     name: SECRET_OSISM_KUBERNETES
     data:
+      DTRACK_API_KEY: !encrypted/pkcs1-oaep
+        - E4KqeSYLZWvnk/RvcXlPK9+9vMpPlcR1T7a8JdoRpEWaHIjSfkR/z6iweljyy1fVFH5wS
+          vxzeSPSuFz3w8e47aV6QrxsOekkeghFCXvZv20A5E9Eluzk/vvvLm/5089YK5t7RkHInr
+          PUqvcv1yoPjhCO4A8L5+th2aNhjNN4EtVrXL/UGQnCn64v1BUHeLKiCymCO6mI4C1HWV8
+          nU0SgqDnwqinVHr6d+ZHhxR2wvDrMcQM7Dti7RZCKesfwgQxnLC0LenP7KI5E4z0W7R+E
+          ipHTcrn5p03mgtwUs4wBt8muCUm7xRbIC7vpJvEJf8KpFXVBZxqUWha46OqQ/q+OH4z3p
+          vcpSoXaexDXJnMGIYCniN4QarV4zSixvuPmvxV1HowzNzVNuffcFya+2PGCc43WgHmTH6
+          SEbuRgX35x2p3g2lTSZgonR2Cj6uyNmvlXg9qVkUwweyJ+/dvyHi8jHoNpi7SG+Xe8MD7
+          FBF0rL45l4DTI4+FXoCA10uyT9dDFujuqjxxCzgFoCzEM5CEQZ7xHdsQ0mDgi7QUs/Bzb
+          q8BxFwdKRe8lwm72sRUAIkrcBIRMdLPohPAmFqDuh/ASlSBMO+a8JoVpglI6STIAAM6tc
+          eJPW0sl33UqeL4mzBe1jTvqD+NsMxHeEtQ/E/ymIyWzwHxK0MjN0fgP3tTfJAc=
       DOCKER_USERNAME: !encrypted/pkcs1-oaep
         - NFbD4TjpIXkwWB7THs9NxmFSD5Rawtlx0DhLlUga1mXc1NzVN++UruucUKyXarWrJEgw7
           i48SSRa6b+795NrC1ZGWH/Pd/oZfCsxMn1YACISRUm/+QEl6+C8r6gB+NLUytl/N+64vo
@@ -48,6 +59,7 @@
       docker_namespace: osism
       docker_registry: osism.harbor.regio.digital
       push_image: true
+      push_sbom: true
 
 - job:
     name: osism-kubernetes-push

diff --git a/zuul-playbooks/build.yml b/zuul-playbooks/build.yml
@@ -6,6 +6,8 @@
     registry: "{{ docker_registry | default('osism.harbor.regio.digital') }}"
     repository: "{{ docker_namespace | default('osism') }}/osism-kubernetes"
     version: "{{ zuul['tag'] | default('latest') }}"
+    DTRACK_SERVER: "https://osism.dtrack.regio.digital"
+    DTRACK_API_KEY: "{{ secret.DTRACK_API_KEY | default('') }}"
 
   tasks:
     - name: Log into registry
@@ -84,3 +86,26 @@
 
       when: push_image | default(false) | bool
       changed_when: true
+
+    - name: Run sbom script
+      ansible.builtin.shell:
+        executable: /bin/bash
+        chdir: "{{ zuul.project.src_dir | default('.') }}"
+        cmd: |
+          set -e
+          set -o pipefail
+          set -x
+
+          if [[ -n $registry ]]; then
+              repository="$registry/$repository"
+          fi
+
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin
+          /usr/local/bin/syft scan "$repository:$version" -o cyclonedx-json > sbom.json
+          {{ python_venv_dir }}/bin/dtrackauditor \
+            -p osism-kubernetes \
+            -v "$version" \
+            -f sbom.json \
+            -a
+      when: push_sbom | default(false) | bool
+      changed_when: true
diff --git a/zuul-playbooks/pre.yml b/zuul-playbooks/pre.yml
@@ -2,6 +2,9 @@
 - name: Run preparations
   hosts: all
 
+  vars:
+    python_venv_dir: /tmp/venv
+
   tasks:
     - name: Install required packages
       become: true
@@ -10,5 +13,11 @@
           - python3-docker
           - python3-requests
 
+    - name: Install dtrack-auditor package
+      ansible.builtin.pip:
+        name: dtrack-auditor
+        virtualenv: "{{ python_venv_dir }}"
+        virtualenv_command: "python3 -m venv"
+
   roles:
     - ensure-docker