From f266715dd0310f1020b195443bf6cafe1922f313 Mon Sep 17 00:00:00 2001 From: Guillaume Lours <705411+glours@users.noreply.github.com> Date: Tue, 12 Aug 2025 11:00:24 +0200 Subject: [PATCH] add --provenance and --sbom flag to generated bake command line, also add attestation per-service configuration to generated bake target Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com> --- pkg/compose/build_bake.go | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/pkg/compose/build_bake.go b/pkg/compose/build_bake.go index 730169045..e9241c1b8 100644 --- a/pkg/compose/build_bake.go +++ b/pkg/compose/build_bake.go @@ -119,6 +119,7 @@ type bakeTarget struct { Entitlements []string `json:"entitlements,omitempty"` ExtraHosts map[string]string `json:"extra-hosts,omitempty"` Outputs []string `json:"output,omitempty"` + Attest []string `json:"attest,omitempty"` } type bakeMetadata map[string]buildStatus @@ -255,6 +256,7 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project Outputs: outputs, Call: call, + Attest: toBakeAttest(build), } } @@ -308,6 +310,12 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project args = append(args, "--allow", "security.insecure") } } + if options.SBOM != "" { + args = append(args, "--sbom="+options.SBOM) + } + if options.Provenance != "" { + args = append(args, "--provenance="+options.Provenance) + } if options.Builder != "" { args = append(args, "--builder", options.Builder) @@ -458,6 +466,30 @@ func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig) return s } +func toBakeAttest(build types.BuildConfig) []string { + var attests []string + + // Handle per-service provenance configuration (only from build config, not global options) + if build.Provenance != "" { + if build.Provenance == "true" { + attests = append(attests, "type=provenance") + } else if build.Provenance != "false" { + attests = append(attests, fmt.Sprintf("type=provenance,%s", build.Provenance)) + } + } + + // Handle per-service SBOM configuration (only from build config, not global options) + if build.SBOM != "" { + if build.SBOM == "true" { + attests = append(attests, "type=sbom") + } else if build.SBOM != "false" { + attests = append(attests, fmt.Sprintf("type=sbom,%s", build.SBOM)) + } + } + + return attests +} + func dockerFilePath(ctxName string, dockerfile string) string { if dockerfile == "" { return ""