Skip to content

feat(release): attest SBOM + vulnerability scan to the source release#464

Merged
zircote merged 2 commits into
mainfrom
feat/attest-sbom-vuln-on-release
Jun 17, 2026
Merged

feat(release): attest SBOM + vulnerability scan to the source release#464
zircote merged 2 commits into
mainfrom
feat/attest-sbom-vuln-on-release

Conversation

@zircote

@zircote zircote commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Summary

You flagged that most of the security checks are germane to the package/source, not only a container image — correct. This wires the minimum you asked for (SBOM and vuln) onto the source release.

release.yml now attests three predicates to the release bundle digest, all signed by release.yml:

Predicate URI Describes
Provenance https://slsa.dev/provenance/v1 how the bundle was built (existing)
SBOM https://cyclonedx.org/bom the package's declared dependencies (Syft over source)
Vulnerabilities https://in-toto.io/attestation/vulns/v0.1 Grype scan of the source (evidence, read the verdict)
  • SBOM + scan run on the pristine checkout, before the tarball exists (so Syft doesn't catalog the archive itself).
  • The fail-closed self-verify step now checks all three predicates.
  • sbom.cdx.json and grype.json are attached to the Release.
  • RELEASING.md updated with per-predicate verify commands and the package-vs-container framing.

Type of Change

  • New feature (non-breaking) — adds SBOM + vuln attestations to the release
  • Documentation update

Test Plan

  • actionlint clean on release.yml
  • All six actions SHA-pinned (reuses repo's existing anchore/attest pins)
  • Exercised end-to-end — runs only on tag push; will be validated by cutting the next tag (e.g. v0.1.1) after merge

Checklist

  • Self-reviewed; step order is scan-pristine → bundle → attest(3) → release → verify
  • Follows project conventions (SHA-pinned, least-privilege; job already has id-token/attestations: write)
  • Docs updated (RELEASING.md)
  • No new warnings (actionlint clean)

zircote added 2 commits June 17, 2026 08:21
@zircote
feat(release): attest SBOM and vulnerability scan to the source release
1b45d5a 
The source-germane security evidence belongs on the package, not only on a
container image. release.yml now generates a CycloneDX SBOM and a Grype
vulnerability scan of the source and attests both to the bundle digest
alongside SLSA provenance — three predicates, all signed by release.yml:

- https://slsa.dev/provenance/v1            (how it was built)
- https://cyclonedx.org/bom                 (declared dependencies)
- https://in-toto.io/attestation/vulns/v0.1 (vulnerability scan; read the verdict)

SBOM/scan run on the pristine checkout (before the tarball exists, so Syft
does not catalog the archive). The fail-closed self-verify now checks all
three predicates. sbom.cdx.json and grype.json are attached to the Release.
RELEASING.md updated with the per-predicate verify commands.

Pins reuse the repo's existing anchore/sbom-action, anchore/scan-action, and
actions/attest SHAs. actionlint clean.
@zircote
fix(release): drop leftover exit 1 that failed verify on success
c82046a 
The multi-predicate verify rewrite kept the old single-predicate loop trailing
exit 1. After all three predicates verify, control fell through to it, so the
step failed every release run despite success. Replace with a success echo;
the per-predicate inner exit 1 still fails closed.
@zircote zircote merged commit 67d8539 into main Jun 17, 2026
7 checks passed
@zircote zircote deleted the feat/attest-sbom-vuln-on-release branch June 17, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zircote