Skip to content

Generate SBOM for all devcontainers #602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jayavenkatesh19 wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Generate SBOM for all devcontainers #602

jayavenkatesh19 wants to merge 8 commits into from
+135 −3

Conversation

@jayavenkatesh19
Copy link

@jayavenkatesh19 jayavenkatesh19 commented Oct 23, 2025
edited
Loading

Towards https://github.com/rapidsai/build-infra/issues/280.

Adds SBOMs to every image published in this repo.

For Linux images

Instead of pushing directly from the devcontainer build command, changed to build images locally. Then a follow up buildx stage is run that uses Syft to scan the local image, copies the SBOM into /sbom/sbom.json, and then pushes the image with the SBOM. Manifest publishing is left unchanged, as the action still returns per-arch digest via log grep

For windows images

After building the image, downloads the Syft windows binary based on runner architecture, scans the image and adds the SBOM via the sbom.Dockerfile and rebuilds the image with the same tag.

@jayavenkatesh19
added SBOM generation
82ccf45 
Signed-off-by: Jaya Venkatesh <jjayabaskar@nvidia.com>
@jayavenkatesh19
Merge branch 'main' into sbom-non-feature
9c76e44
@jayavenkatesh19
added newlines
4c5242e 
Signed-off-by: Jaya Venkatesh <jjayabaskar@nvidia.com>
@jayavenkatesh19
updated path to Dockerfile
3ead6ec 
Signed-off-by: Jaya Venkatesh <jjayabaskar@nvidia.com>
@jayavenkatesh19
added source names for Syft scan
737548b 
Signed-off-by: Jaya Venkatesh <jjayabaskar@nvidia.com>
@jayavenkatesh19
Merge branch 'main' into sbom-non-feature
550a84e
@jayavenkatesh19 jayavenkatesh19 changed the title [WIP] Generate SBOM for all devcontainers Generate SBOM for all devcontainers Oct 28, 2025
@jayavenkatesh19 jayavenkatesh19 marked this pull request as ready for review October 28, 2025 21:50
@jayavenkatesh19 jayavenkatesh19 requested a review from a team as a code owner October 28, 2025 21:50
@jayavenkatesh19 jayavenkatesh19 requested review from bdice and removed request for a team October 28, 2025 21:50
@jayavenkatesh19 jayavenkatesh19 mentioned this pull request Dec 15, 2025
Open
@jameslamb jameslamb requested review from jameslamb and removed request for bdice January 23, 2026 18:18
jameslamb
jameslamb requested changes Jan 23, 2026
View reviewed changes
Copy link
Member

@jameslamb jameslamb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing this. This looks a bit more complex than rapidsai/docker#805 and rapidsai/ci-imgs#309 ... before we spend any more time working through it, I think we should wait to see what happens with those PRs and our general approach to SBOMs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jameslamb jameslamb jameslamb requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jayavenkatesh19 @jameslamb