Configure a Buildkite Pipeline

EdgeBit gives developers context about new and modified software dependencies when submitted a pull request or pushing a new commit before it merges into main.

This context is useful for:

• vulnerabilities: understand vulnerabilities present in the selected version(s)
• recommendations: see a recommended version with fixed vulnerabilities, if available
• standardization: gain context about versions of the same dependency that other teams may be using at your organization – think of this as a gentle nudge to standarize via social proof

This document will walk through adding a step to a Buildkite pipeline to generate and upload an SBOM to EdgeBit. Optionally, a GitHub check can be used to display issues found inside of a Pull Request.

The action uses the Syft open source project to generate the software bill of materials (SBOM).

Create Pipeline File

Select the container based pipeline for the most accurate results.

$ mkdir -p .buildkite
$ mkdir -p edgebit
$ curl -sL https://edgebit.io/docs/0.x/assets/container-syft.yaml > .buildkite/edgebit/container-syft.yaml

env:
  EDGEBIT_COMPONENT_NAME: foobar
  CONTAINER_NAME: example/foobar
  EBCTL_VERSION: v0.8.1
steps:
  - label: Download Syft
    command: |
      if [ ! -f "/usr/local/bin/syft" ]; then
        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin v1.4.0
      fi      

  - label: Download EdgeBit CLI
    command: |
      cd /usr/local/bin
      curl -sSfL "https://install.edgebit.io/releases/edgebit-cli/${EBCTL_VERSION}/edgebit-cli_Linux_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | sudo tar xz      

  - label: Build Container
    command: |
      docker build \
        --tag "$CONTAINER_NAME" \
        .      

  - label: Generate SBOM from container
    command: |
      cd "$BUILDKITE_BUILD_CHECKOUT_PATH"
      /usr/local/bin/syft \
        --quiet \
        --config .buildkite/edgebit/container-syft.yaml \
        --output spdx-json=/tmp/sbom.spdx.json \
        scan \
        "$CONTAINER_NAME"      

  - label: Upload SBOM to EdgeBit
    command: |
      /usr/local/bin/ebctl upload-sbom \
        --commit $BUILDKITE_COMMIT \
        --component "$EDGEBIT_COMPONENT_NAME" \
        --repo "$BUILDKITE_REPO" \
        --image-tag "$CONTAINER_NAME" \
        --image-id $(docker image inspect --format '{{.ID}}' $CONTAINER_NAME) \
        --repo-digest $(docker image inspect --format '{{join .RepoDigests ","}}' $CONTAINER_NAME) \
        --pull-request "$BUILDKITE_PULL_REQUEST" \
        /tmp/sbom.spdx.json      

$ mkdir -p .buildkite
$ mkdir -p edgebit
$ curl https://edgebit.io/docs/0.x/assets/source-syft.yaml > .buildkite/edgebit/source-syft.yaml

env:
  EDGEBIT_COMPONENT_NAME: foobar
  EBCTL_VERSION: v0.8.1
steps:
  - label: Download Syft
    command: |
      if [ ! -f "/usr/local/bin/syft" ]; then
        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin
      fi      

  - label: Download EdgeBit CLI
    command: |
      cd /usr/local/bin
      curl -sSfL "https://install.edgebit.io/releases/edgebit-cli/${EBCTL_VERSION}/edgebit-cli_Linux_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | sudo tar xz      

  - label: Generate SBOM from source code
    command: |
      cd "$BUILDKITE_BUILD_CHECKOUT_PATH" &&
      /usr/local/bin/syft \
        --quiet \
        --config .buildkite/edgebit/source-syft.yaml \
        --output spdx-json=/tmp/sbom.spdx.json \
      scan \
      .      

  - label: Upload SBOM to EdgeBit
    command: |
      /usr/local/bin/ebctl upload-sbom \
        --commit $BUILDKITE_COMMIT \
        --component "$EDGEBIT_COMPONENT_NAME" \
        --repo "$BUILDKITE_REPO" \
        --pull-request "$BUILDKITE_PULL_REQUEST" \
        /tmp/sbom.spdx.json      

These pipeline steps do the following:

1. Generates a software bill of materials (SBOM) by detecting most common programming languages, by using the Syft open source project, either from:
   • an existing container build step using CONTAINER_NAME
   • from source code using BUILDKITE_BUILD_CHECKOUT_PATH,
2. Uses your EdgeBit Access Token to upload the SBOM to EdgeBit and ties it to the specific commit
3. Groups the stream of SBOMs into a Component for tracking changes over time

Set Pipeline Variables

Fill in the required variables in the env section:

Set Pipeline Secrets

In the EdgeBit Console, generate a new Access Token for this pipeline to use. You can find this in the left hand navigation under “Access Tokens”.

Save this into the secret management tool you use for Buildkite.

Your EdgeBit organization URL is not a secret but you can also store it as a secret.

Set Up the GitHub app

Optionally, use the EdgeBit’s GitHub app to allow Developers to see a new EdgeBit check on their PRs:

1. Comments on the PR if new dependency changes are detected, highlighting:
   • New vulnerabilities and supply chain risks introduced by the changes
   • Confirming addition, modification or removal of dependency changes without issues
2. Link to more detail within EdgeBit about the current state of all known vulnerabilities

If a PR makes dependency changes and new issues are found, EdgeBit will comment with more information:

To set up the GitHub app, an admin should do the following:

1. In the EdgeBit Console, click on “Integrations” in the left navigation pane.
2. Click “New Integration” to start the GitHub app installation process.
3. Grant EdgeBit access to all repos in an organization or a subset.
4. Choose which project(s) the GitHub integration should be used with.

Test the Integration

Create a new branch and commit the changes that add .buildkite/pipeline.yml. You should see the new steps being run immediately.

View your Build Artifacts in the EdgeBit Console

Your EdgeBit Console contains reports about each SBOM uploaded and the current state of all vulnerabilities in your software Components.

Next: Install Machine Agent