Skip to content

SBOMs for Helmfile, docker-compose and Helm charts#5122

Draft
supersven wants to merge 8 commits intodevelopfrom
sventennie/docker-compose-sboms
Draft

SBOMs for Helmfile, docker-compose and Helm charts#5122
supersven wants to merge 8 commits intodevelopfrom
sventennie/docker-compose-sboms

Conversation

@supersven
Copy link
Contributor

@supersven supersven commented Mar 16, 2026
edited
Loading

This PR adds comprehensive Software Bill of Materials (SBOM) generation and upload capabilities for Wire Server. The implementation creates CycloneDX-format SBOMs for three deployment methods:

  • Helm charts: Extracts images from each chart and generates individual SBOMs
  • docker-compose: Scans images from the ephemeral deployment compose file
  • Helmfile: Processes the integration test helmfile deployment

The workflow uses syft for SBOM generation, skopeo for Docker schema v1 compatibility, and cyclonedx-cli for validation, with Makefile targets orchestrating the process and uploading to Dependency Track.

Unfortunately, the syft version in nixos-25.11 is broken. Thus, we're resorting to unstable.

Ticket: https://wearezeta.atlassian.net/browse/WPB-20616

Checklist

  • Add a new entry in an appropriate subdirectory of changelog.d
  • Read and follow the PR guidelines

@supersven
Create and upload SBOMs for Helm charts, docker-compose, Helmfile
289b02e 
Adds `syft` for SBOM creation, `skopeo` to convert Docker images and
`cylonedx-cli` to validate SBOMs.

The process is driven via Makefile targets: `sboms` creates the SBOM
files, `upload-sboms` uploads them to dependency track.
@supersven
Add changelog entry
ebb8660
@supersven supersven requested a review from Copilot March 16, 2026 15:22
@zebot zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Mar 16, 2026
supersven
supersven commented Mar 16, 2026
View reviewed changes
supersven
supersven commented Mar 16, 2026
View reviewed changes
supersven
supersven commented Mar 16, 2026
View reviewed changes
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds tooling to generate CycloneDX SBOMs for deployment artifacts (Helm charts, Helmfile, docker-compose) and upload them to Dependency-Track, wiring required CLI tools into the Nix dev environment and exposing make targets to run the workflow.

Changes:

  • Add SBOM generation scripts for Helm charts, Helmfile, and docker-compose, plus shared helpers and a centralized syft runner.
  • Add Dependency-Track upload/check scripts and new Makefile targets to generate/validate/upload SBOMs.
  • Extend flake/Nix dev shell inputs to include syft and cyclonedx-cli (via unstable nixpkgs for syft).

Reviewed changes

Copilot reviewed 5 out of 14 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
nix/wire-server.nix Adds syft and cyclonedx-cli to the dev environment.
nix/default.nix Threads pkgs_unstable through to wire-server.nix.
flake.nix Introduces nixpkgs-unstable and passes pkgs_unstable into ./nix.
flake.lock Locks the added nixpkgs-unstable input.
hack/bin/upload-sbom.sh New script to upload SBOMs to Dependency-Track and manage project hierarchy/metadata.
hack/bin/check-sbom-status.sh New helper to query Dependency-Track processing status by token.
hack/bin/sbom-common.sh Shared helpers for SBOM generation (image canonicalization, schema1 handling, validation).
hack/bin/run-syft.sh Centralizes syft invocation/config for consistent SBOM output.
hack/bin/create-helmfile-sboms.sh Generates SBOMs for images referenced by rendered Helmfile output.
hack/bin/create-helm-sboms.sh Generates SBOMs for images discovered via helm template across charts.
hack/bin/create-docker-compose-sboms.sh Generates SBOMs for images in docker-compose config.
Makefile Adds SBOM generation/validation/upload targets and a Dependency-Track project name variable.
.gitignore Ignores tmp/ (used for SBOM outputs).
changelog.d/5-internal/sboms Changelog entry for SBOM tooling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

supersven and others added 4 commits March 16, 2026 17:07
@supersven supersven requested a review from Copilot March 16, 2026 16:20
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds end-to-end SBOM generation (CycloneDX JSON via syft) for Wire Server images across Helm charts, docker-compose ephemeral deploy, and helmfile-based integration deploys, plus tooling to validate and upload SBOMs to Dependency-Track.

Changes:

  • Add new hack/bin/* scripts to generate SBOMs for Helm charts, docker-compose images, and helmfile-rendered images, plus upload helpers.
  • Add Makefile targets to generate, validate (via cyclonedx), and upload all SBOMs.
  • Extend Nix flake/dev environment to include syft (from nixpkgs-unstable) and cyclonedx-cli.

Reviewed changes

Copilot reviewed 5 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
nix/wire-server.nix Adds pkgs_unstable.syft and cyclonedx-cli into the dev environment inputs.
nix/default.nix Threads pkgs_unstable into the nix package set import chain.
flake.nix Adds nixpkgs-unstable input and exposes pkgs_unstable to ./nix.
flake.lock Locks the new nixpkgs-unstable dependency.
hack/bin/sbom-common.sh Shared helpers for Docker availability, image canonicalization, schema1 handling, and basic JSON validation.
hack/bin/run-syft.sh Centralizes syft invocation and environment settings for consistent output.
hack/bin/create-helm-sboms.sh Generates SBOMs for images discovered via helm template per chart.
hack/bin/create-docker-compose-sboms.sh Generates SBOMs for images from docker-compose config.
hack/bin/create-helmfile-sboms.sh Generates SBOMs for images extracted from rendered helmfile templates.
hack/bin/upload-sbom.sh Uploads a single SBOM to Dependency-Track and fixes parent/external reference relations.
hack/bin/upload-all-sboms.sh Iterates over generated SBOMs and uploads them by source type.
Makefile Adds SBOM generation/validation/upload targets (but currently contains unintended corruption in openapi-validate).
.gitignore Ignores tmp/ where SBOMs are generated.
changelog.d/5-internal/sboms Changelog entry for SBOM generation/upload.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Makefile
HELM_PARALLELISM ?= 1 # 1 for sequential tests; 6 for all-parallel tests
PSQL_DB ?= backendA
export PSQL_DB
DEPENDENCY_TRACK_PROJECT_NAME ?= sven-bom-test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@supersven @zebot