feat(pipeline): add dependency track sbom upload (!145) · Merge requests · catladder / catladder

Michael requested to merge feat/sbom into main Mar 25, 2023

Rough and basic implementation of #25 (closed)

It creates a sbom job for each env × component in the test stage and one sbom merge/upload job for each env in the verify stage.

Uses the Trivy scanner by default
Supports Yarn workspaces, but each component will get it's own sbom with all workspace packages.
Is opt-out (with components.<c>.build.sbom = false)
Uploads to Dependency Track (DT) as project <customerName>-<appName> with release set to to <env>
- This means review environments will overwrite each other
Uploads to DT only after all deployments have succeeded, unless deployments are disabled

Not implemented:

Handling of DT_KEY. Manually configuring it as a GitLab group CI/CD variable should be good enough.
Disabling of the project in DT

Edited Mar 27, 2023 by Michael

feat(pipeline): add dependency track sbom upload