Run the NTIA conformance checker

Signed-off-by: Matt Moore <[email protected]>
chainguard-dev · Nov 17, 2023 · 45fe2cc · 45fe2cc
1 parent 73ca17d
commit 45fe2cc
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -19,6 +19,7 @@ No requirements.
 |------|---------|
 | <a name="provider_apko"></a> [apko](#provider\_apko) | n/a |
 | <a name="provider_cosign"></a> [cosign](#provider\_cosign) | n/a |
+| <a name="provider_oci"></a> [oci](#provider\_oci) | n/a |
 
 ## Modules
 
@@ -32,6 +33,7 @@ No modules.
 | [cosign_attest.this](https://registry.terraform.io/providers/chainguard-dev/cosign/latest/docs/resources/attest) | resource |
 | [cosign_sign.signature](https://registry.terraform.io/providers/chainguard-dev/cosign/latest/docs/resources/sign) | resource |
 | [apko_config.this](https://registry.terraform.io/providers/chainguard-dev/apko/latest/docs/data-sources/config) | data source |
+| [oci_exec_test.check-sbom](https://registry.terraform.io/providers/chainguard-dev/oci/latest/docs/data-sources/exec_test) | data source |
 
 ## Inputs
 
@@ -40,6 +42,7 @@ No modules.
 | <a name="input_config"></a> [config](#input\_config) | The apko configuration file to build and publish. | `any` | n/a | yes |
 | <a name="input_default_annotations"></a> [default\_annotations](#input\_default\_annotations) | Default annotations to apply to this image. | `map(string)` | `{}` | no |
 | <a name="input_extra_packages"></a> [extra\_packages](#input\_extra\_packages) | Additional packages to install into this image. | `list(string)` | `[]` | no |
+| <a name="input_sbom_checker"></a> [sbom\_checker](#input\_sbom\_checker) | The NTIA conformance checker image to use to validate SBOMs. | `string` | `"cgr.dev/chainguard/ntia-conformance-checker:latest"` | no |
 | <a name="input_target_repository"></a> [target\_repository](#input\_target\_repository) | The docker repo into which the image and attestations should be published. | `any` | n/a | yes |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -5,12 +5,9 @@ SPDX-License-Identifier: Apache-2.0
 
 terraform {
   required_providers {
-    cosign = {
-      source = "chainguard-dev/cosign"
-    }
-    apko = {
-      source = "chainguard-dev/apko"
-    }
+    apko   = { source = "chainguard-dev/apko" }
+    cosign = { source = "chainguard-dev/cosign" }
+    oci    = { source = "chainguard-dev/oci" }
   }
 }
 
@@ -36,9 +33,19 @@ locals {
   archs = toset(concat(["index"], data.apko_config.this.config.archs))
 }
 
+data "oci_exec_test" "check-sbom" {
+  for_each = local.archs
+  digest   = apko_build.this.sboms[each.key].digest
+
+  # Run the supplied NTIA checker over the SBOM files mounted into the checker image in a readonly mode.
+  script = "docker run --rm -v ${apko_build.this.sboms[each.key].predicate_path}:/sbom.json:ro ${var.sbom_checker} --file /sbom.json"
+}
+
 resource "cosign_attest" "this" {
   for_each = local.archs
 
+  depends_on = [data.oci_exec_test.check-sbom]
+
   image = apko_build.this.sboms[each.key].digest
 
   # Do not re-attest things that have not changed.

diff --git a/variables.tf b/variables.tf
@@ -22,3 +22,8 @@ variable "default_annotations" {
   default     = {}
   description = "Default annotations to apply to this image."
 }
+
+variable "sbom_checker" {
+  default     = "cgr.dev/chainguard/ntia-conformance-checker:latest"
+  description = "The NTIA conformance checker image to use to validate SBOMs."
+}