From eb140a40ffcb75b53807dfea34a3173bf9a2c972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20Dymi=C5=84ski?= Date: Fri, 1 Nov 2024 16:51:26 +0100 Subject: [PATCH] Add possibility to check and generate newest SBOMs in the container registry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mateusz DymiƄski --- stable/ksoc-plugins/Chart.yaml | 4 ++-- stable/ksoc-plugins/README.md | 3 ++- stable/ksoc-plugins/values.yaml | 8 +++++++- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/stable/ksoc-plugins/Chart.yaml b/stable/ksoc-plugins/Chart.yaml index 8e0c975..9601e9f 100644 --- a/stable/ksoc-plugins/Chart.yaml +++ b/stable/ksoc-plugins/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: ksoc-plugins -version: 1.9.3 +version: 1.9.4 description: A Helm chart to run the KSOC plugins home: https://ksoc.com icon: https://ksoc.com/hubfs/Ksoc-logo.svg @@ -17,7 +17,7 @@ annotations: # Possible kind options are added, changed, deprecated, removed, fixed and security. artifacthub.io/changes: | - kind: added - description: Add documentation for the `IMAGE_PULL_SECRETS` config value in 'rad-sbom' component. + description: Add possibility to check and generate SBOMs for latests images in the container registry. artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/links: | - name: source diff --git a/stable/ksoc-plugins/README.md b/stable/ksoc-plugins/README.md index 05b65eb..f6baea1 100644 --- a/stable/ksoc-plugins/README.md +++ b/stable/ksoc-plugins/README.md @@ -570,9 +570,10 @@ The command removes all the Kubernetes components associated with the chart and | ksocSbom.env.LOG_LEVEL | string | `"info"` | The log level to use. Options are trace, debug, info, warn, error | | ksocSbom.env.MUTATE_ANNOTATIONS | bool | `false` | Whether to mutate the annotations in pod spec by adding images digests. Annotations can be used to track image digests in addition to, or instead of the image tag mutation. | | ksocSbom.env.MUTATE_IMAGE | bool | `true` | Whether to mutate the image in pod spec by adding digest at the end. By default, digests are added to images to ensure that the image that runs in the cluster matches the digest of the build. Disable this if your continuous deployment reconciler requires a strict image tag match. | +| ksocSbom.env.SBOM_CHECK_LATEST | bool | `false` | Experimental: Whether to check for the latest image in the container registry and generate SBOM for it. If deployed image has tag with semver format, rad-sbom tries to get the newest image, newest minor version, or newest patch version. If the tag is not in semver format, rad-sbom tries to get the newest image from the container registry based on the tag time. Please be aware that time-based algorithm requires many requests to the container registry and may be slow. It works only if credentials are provided. Please note that this feature is experimental and may not work with all container registries. | | ksocSbom.env.SBOM_FORMAT | string | `"cyclonedx-json"` | The format of the generated SBOM. Currently we support: syft-json,cyclonedx-json,spdx-json | | ksocSbom.image.repository | string | `"public.ecr.aws/n8h5y2v5/rad-security/rad-sbom"` | The image to use for the ksoc-sbom deployment | -| ksocSbom.image.tag | string | `"v1.1.28"` | | +| ksocSbom.image.tag | string | `"v1.1.30"` | | | ksocSbom.nodeSelector | object | `{}` | | | ksocSbom.podAnnotations | object | `{}` | | | ksocSbom.resources.limits.cpu | string | `"1000m"` | | diff --git a/stable/ksoc-plugins/values.yaml b/stable/ksoc-plugins/values.yaml index 5087d0c..32b41c8 100644 --- a/stable/ksoc-plugins/values.yaml +++ b/stable/ksoc-plugins/values.yaml @@ -92,7 +92,7 @@ ksocSbom: image: # -- The image to use for the ksoc-sbom deployment repository: public.ecr.aws/n8h5y2v5/rad-security/rad-sbom - tag: v1.1.28 + tag: v1.1.30 env: # -- Whether to mutate the image in pod spec by adding digest at the end. By default, digests are added to images to ensure # that the image that runs in the cluster matches the digest of the build. Disable this if your continuous deployment @@ -108,6 +108,12 @@ ksocSbom: # additionally, you can specify the secrets here. # If you use AWS ECR private registry, we recommend to use EKS Pod Identity or IRSA to add access to "rad-sbom" to the ECR registry. IMAGE_PULL_SECRETS: "" + # -- Experimental: Whether to check for the latest image in the container registry and generate SBOM for it. + # If deployed image has tag with semver format, rad-sbom tries to get the newest image, newest minor version, or newest patch version. + # If the tag is not in semver format, rad-sbom tries to get the newest image from the container registry based on the tag time. + # Please be aware that time-based algorithm requires many requests to the container registry and may be slow. It works only if + # credentials are provided. Please note that this feature is experimental and may not work with all container registries. + SBOM_CHECK_LATEST: false # -- The log level to use. Options are trace, debug, info, warn, error LOG_LEVEL: info resources: