fix(sbom): disable file catalogers for Syft SBOM (to minimize SBOM file)

c95c2d47 · Cédric OLIVIER · Pierre Smeyers · ab49089c · c95c2d47 · c95c2d47
Commit c95c2d47 authored 2 months ago by Cédric OLIVIER Committed by Pierre Smeyers 2 months ago
--- a/README.md
+++ b/README.md
@@ -458,7 +458,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job       | _none_                                                                                                                  |
 | `TBC_SBOM_MODE` | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease` |
 | `sbom-image` / `DOCKER_SBOM_IMAGE`       | The docker image used to emit SBOM      | `registry.hub.docker.com/anchore/syft:debug`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)|
-| `sbom-opts` / `DOCKER_SBOM_OPTS`         | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` |
+| `sbom-opts` / `DOCKER_SBOM_OPTS`         | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file` |
 ### `docker-publish` job

--- a/kicker.json
+++ b/kicker.json
@@ -212,7 +212,7 @@
        {
          "name": "DOCKER_SBOM_OPTS",
          "description": "Options for syft used for SBOM analysis",
-          "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger",
+          "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file",
          "advanced": true
        }
      ]

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -169,7 +169,7 @@ spec:
      default: registry.hub.docker.com/anchore/syft:debug
    sbom-opts:
      description: Options for syft used for SBOM analysis
-      default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger
+      default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file
 ---
 # default workflow rules: Merge Request pipelines
 workflow: