[plan] Add SBOM generation to CI/CD pipeline and releases #5539
Description
Objective
Implement Software Bill of Materials (SBOM) generation in the CI/CD pipeline to provide complete visibility into the dependency tree, enabling compliance reporting, vulnerability tracking, and supply chain risk assessment.
Context
Currently there is no SBOM generation, limiting visibility into transitive dependencies and making it difficult to track vulnerabilities across the 49 direct Go dependencies.
Approach
-
Install SBOM generation tool:
- Use
syftfor comprehensive SBOM generation - Alternative:
cyclonedx-gomodfor Go-specific SBOMs
- Use
-
Create
.github/workflows/security-sbom.yml:- Trigger on release creation and weekly schedule
- Generate SBOM in both SPDX and CycloneDX formats
- Include all Go dependencies (direct and transitive)
- Upload SBOM as workflow artifact
- Attach SBOM to GitHub releases
-
Add Makefile target:
.PHONY: sbom sbom: syft packages . -o spdx-json=sbom.spdx.json -o cyclonedx-json=sbom.cdx.json
-
Update documentation: Add SBOM generation process to
SECURITY.md
Example Commands
# Generate SBOM with syft
syft packages . -o spdx-json=sbom.spdx.json -o cyclonedx-json=sbom.cdx.json
# Alternative with cyclonedx-gomod
cyclonedx-gomod mod -json -output sbom.cdx.jsonFiles to Create/Modify
- Create:
.github/workflows/security-sbom.yml - Modify:
Makefile(addsbomtarget) - Modify:
SECURITY.md(document SBOM generation)
Acceptance Criteria
- SBOM generation workflow created and scheduled (weekly + on release)
- SBOM generated in both SPDX and CycloneDX formats
- SBOM uploaded as workflow artifacts
- SBOM attached to GitHub releases
- Makefile target
make sbomadded for local generation - SBOM generation documented in
SECURITY.md - SBOM includes version, license, and hash information for all dependencies
- All action versions pinned to SHA following security best practices
Priority
High - Enables vulnerability tracking and compliance reporting
Related to #5537
AI generated by Plan Command for discussion #5535