feat(pipeline): add dependency track sbom upload
Rough and basic implementation of #25 (closed)
Depends on !144 (merged)
It creates a sbom job for each env × component in the test stage and one sbom merge/upload job for each env in the verify stage.
- Uses the Trivy scanner by default
- Supports Yarn workspaces, but each component will get it's own sbom with all workspace packages.
- Is opt-out (with
components.<c>.build.sbom = false
) - Uploads to Dependency Track (DT) as project
<customerName>-<appName>
with release set to to<env>
- This means review environments will overwrite each other
- Uploads to DT only after all deployments have succeeded, unless deployments are disabled
Not implemented:
- Handling of
DT_KEY
. Manually configuring it as a GitLab group CI/CD variable should be good enough. - Disabling of the project in DT
Edited by Michael