From 2c579bd21e6c473804f35d4a4338472fe02ec4bf Mon Sep 17 00:00:00 2001
From: Matt Moore <mattmoor@chainguard.dev>
Date: Wed, 13 Dec 2023 12:58:24 -0800
Subject: [PATCH] Make the SBOM checks opt-out

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
---
 main.tf      | 2 +-
 variables.tf | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 82e4edf..8c08b5d 100644
--- a/main.tf
+++ b/main.tf
@@ -35,7 +35,7 @@ locals {
 }
 
 data "oci_exec_test" "check-sbom" {
-  for_each = local.archs
+  for_each = var.check_sbom ? local.archs : []
   digest   = apko_build.this.sboms[each.key].digest
 
   # Run the supplied NTIA checker over the SBOM files mounted into the checker image in a readonly mode.
diff --git a/variables.tf b/variables.tf
index 14f05f7..a562e13 100644
--- a/variables.tf
+++ b/variables.tf
@@ -23,6 +23,11 @@ variable "default_annotations" {
   description = "Default annotations to apply to this image."
 }
 
+variable "check_sbom" {
+  default     = true
+  description = "Whether to run the NTIA conformance checker on the SBOMs we are attesting."
+}
+
 variable "sbom_checker" {
   default     = "cgr.dev/chainguard/ntia-conformance-checker:latest"
   description = "The NTIA conformance checker image to use to validate SBOMs."