1689ffcd1a
Both charts are scratch (no upstream Helm chart published — Coraza project + anchore/syft+grype CLIs ship containers only). The blueprint-release.yaml hollow-chart gate (issue #181) rejects charts with zero declared dependencies. Adding sigstore/common as a tiny library subchart satisfies the gate; common is a library type so it contributes zero runtime resources to either chart's rendered output. The Catalyst-side templates (Deployment+Service for bp-coraza, CronJob+PVC for bp-syft-grype) remain entirely in templates/ — the library dep is purely a CI-gate mechanism, NOT a functional dependency. Co-authored-by: hatiyildiz <hatice.yildiz@openova.io> |
||
|---|---|---|
| .. | ||
| chart | ||
| blueprint.yaml | ||
| README.md | ||
Syft + Grype
SBOM generation and vulnerability matching for supply chain security. Per-host-cluster infrastructure (see docs/PLATFORM-TECH-STACK.md §3.3). Catalyst's CI runs Syft on every Blueprint to publish an SBOM alongside the OCI artifact; Grype scans for known CVEs in the published SBOM and at runtime.
Category: Supply Chain Security | Type: Mandatory per host cluster
Overview
Syft generates Software Bill of Materials (SBOM) for container images, and Grype matches SBOMs against vulnerability databases. Together they provide continuous supply chain visibility required by EU CRA and banking regulators.
Key Features
- SBOM generation in CycloneDX and SPDX formats
- Vulnerability matching against NVD, GitHub Advisory, OSV databases
- CI/CD integration via Gitea Actions
- Runtime scanning via Harbor integration
Integration
| Component | Integration |
|---|---|
| Harbor | Stores SBOMs as OCI artifacts |
| Sigstore/Cosign | Attaches SBOM attestations to signed images |
| Trivy | Complementary scanning (Trivy for runtime, Grype for CI) |
| Gitea Actions | SBOM generation in build pipeline |
Deployment
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: syft-grype
namespace: flux-system
spec:
interval: 10m
path: ./platform/syft-grype
prune: true
Part of OpenOva