Skip to content

Add SBOM generation to Docker build for supply chain security #24

Open
Open
Add SBOM generation to Docker build for supply chain security#24
Labels
hacktoberfestHacktoberfest eligiblepriority: lowLow prioritytype: ciCI/CD changestype: securitySecurity related improvements
@NP-compete

Description

@NP-compete
NP-compete
opened on Mar 3, 2026

Summary

Add Software Bill of Materials (SBOM) generation to Docker builds for supply chain security and compliance.

Current State

No SBOM is generated during Docker builds.

Expected Outcome

Option A: Use Docker BuildKit SBOM

```bash
docker buildx build --sbom=true -t gomcp-server .
```

Option B: Use syft in CI

```yaml

.github/workflows/ci.yml

  • name: Generate SBOM
    uses: anchore/sbom-action@v0
    with:
    image: gomcp-server:${{ github.sha }}
    artifact-name: sbom.spdx.json
    output-file: ./sbom.spdx.json

  • name: Upload SBOM
    uses: actions/upload-artifact@v4
    with:
    name: sbom
    path: ./sbom.spdx.json
    ```

Option C: Use ko for Go-native builds

```yaml

  • name: Build with ko
    uses: ko-build/setup-ko@v0.6
  • run: ko build --sbom=spdx ./cmd/server
    ```

Benefits

  1. Compliance: Required for many enterprise deployments
  2. Vulnerability tracking: Know exactly what's in your container
  3. Incident response: Quickly identify affected deployments
  4. Transparency: Users can audit dependencies

Acceptance Criteria

  • SBOM generated during CI builds
  • SBOM attached to release artifacts
  • SBOM in SPDX or CycloneDX format
  • Documentation for accessing SBOM
  • Consider signing SBOM with cosign

Metadata

Metadata

Assignees

No one assigned

    Labels

    hacktoberfestHacktoberfest eligiblepriority: lowLow prioritytype: ciCI/CD changestype: securitySecurity related improvements

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions