Skip to content

Commit 4e5b0a8

Browse files
RetGalRetGal
committed
add publish to deptrack
1 parent 53e48a1 commit 4e5b0a8

File tree

2 files changed

+37
-4
lines changed

2 files changed

+37
-4
lines changed

ci/main.go

Lines changed: 36 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,25 @@ func (m *Ci) Vulnscan(sbom *dagger.File) *dagger.File {
158158
return trivy.Sbom(sbom).Report("json")
159159
}
160160

161+
// Publish cyclonedx SBOM to Deptrack
162+
func (m *Ci) PublishToDeptrack(
163+
ctx context.Context,
164+
// SBOM file
165+
sbom *dagger.File,
166+
// deptrack address for publishing the SBOM https://deptrack.example.com/api/v1/bom
167+
address string,
168+
// deptrack API key
169+
apiKey *dagger.Secret,
170+
// deptrack project UUID
171+
projectUUID string,
172+
) (string, error) {
173+
return dag.Container().
174+
From("curlimages/curl").
175+
WithFile("sbom.json", sbom).
176+
WithExec([]string{"curl", "-X", "POST", "-H", "'Content-Type: multipart/form-data'", "-H", fmt.Sprintf("'X-API-Key: %s'", apiKey), "-F", fmt.Sprintf("'project=%s'", projectUUID), "-F", "[email protected]", address}).
177+
Stdout(ctx)
178+
}
179+
161180
// Sign the published image using cosign
162181
func (m *Ci) Sign(
163182
ctx context.Context,
@@ -232,6 +251,12 @@ func (m *Ci) Ci(
232251
registryPassword *dagger.Secret,
233252
// registry address registry/repository/image:tag
234253
registryAddress string,
254+
// deptrack address for publishing the SBOM https://deptrack.example.com/api/v1/bom
255+
dtAddress string,
256+
// deptrack project UUID
257+
dtProjectUUID string,
258+
// deptrack API key
259+
dtApiKey *dagger.Secret,
235260
// ignore linter failures
236261
// +optional
237262
// +default=false
@@ -246,6 +271,7 @@ func (m *Ci) Ci(
246271
digest, err := m.Publish(ctx, image, registryAddress)
247272

248273
if err == nil {
274+
m.PublishToDeptrack(ctx, sbom, dtAddress, dtApiKey, dtProjectUUID)
249275
m.Sign(ctx, registryUsername, registryPassword, digest)
250276
m.Attest(ctx, registryUsername, registryPassword, digest, sbom, "cyclonedx")
251277
}
@@ -271,6 +297,12 @@ func (m *Ci) CiIntegration(
271297
registryPassword *dagger.Secret,
272298
// registry address registry/repository/image:tag
273299
registryAddress string,
300+
// deptrack address for publishing the SBOM https://deptrack.example.com/api/v1/bom
301+
dtAddress string,
302+
// deptrack project UUID
303+
dtProjectUUID string,
304+
// deptrack API key
305+
dtApiKey *dagger.Secret,
274306
// ignore linter failures
275307
// +optional
276308
// +default=false
@@ -339,11 +371,12 @@ func (m *Ci) CiIntegration(
339371

340372
// After publishing the image, we can sign and attest
341373
if err != nil {
342-
return nil, err
374+
return nil, err
343375
}
344376

345-
m.Sign(ctx, registryUsername, registryPassword, digest)
346-
m.Attest(ctx, registryUsername, registryPassword, digest, sbom, "cyclonedx")
377+
m.PublishToDeptrack(ctx, sbom, dtAddress, dtApiKey, dtProjectUUID)
378+
m.Sign(ctx, registryUsername, registryPassword, digest)
379+
m.Attest(ctx, registryUsername, registryPassword, digest, sbom, "cyclonedx")
347380

348381
sbomName, _ := sbom.Name(ctx)
349382
result_container := dag.Container().

dagger.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "ci",
3-
"engineVersion": "v0.15.2",
3+
"engineVersion": "v0.15.3",
44
"sdk": "go",
55
"dependencies": [
66
{

0 commit comments

Comments
 (0)