EdgeBit gives developers context about new and modified software dependencies when submitted a pull request or pushing a new commit before it merges into main.
This context is useful for:
This document will walk through setting up a generic pipeline runner that can run CLI binaries.
This guide will use the Syft open source project to generate the software bill of materials (SBOM) and the EdgeBit CLI to upload them.
First, in the EdgeBit Console, generate a new Access Token for this repository to use. You can find this in the left hand navigation under “Access Tokens”.
Install the CLI tools:
# Install ebctl
$ curl -sL https://install.edgebit.io/releases/edgebit-cli/latest/edgebit-cli_Linux_x86_64.tar.gz --output ebctl.tar.gz
$ tar -xvf ebctl.tar.gz
# Install syft v0.74.1
$ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . v0.74.1
In your pipeline, run the following commands to generate an SBOM after your container or project is built:
$ export IMAGE='registry.example.com/foo:latest'
$ export NAME='foo'
$ docker build -t $IMAGE .
$ syft packages $IMAGE -o syft > $NAME.sbom
Next, compile some commit info in order to identify where this SBOM was generated from:
$ BASE_BRANCH='main'
$ BASE_SHA=$(git merge-base --fork-point $BASE_BRANCH)
$ LATEST_SHA=$(git rev-parse HEAD)
Upload the SBOM using the ebctl tool:
$ export EDGEBIT_API_KEY='dnrekvq95CJ6_JcVixpfTEx8L3k3hDsggoqSr'
$ export EDGEBIT_URL='https://foo.edgebit.io'
$ ebctl upload-sbom --component $NAME --tag latest --repo https://github.com/org/repo --commit $LATEST_SHA --image-tag $IMAGE $NAME.sbom
Create a new branch and commit the changes to watch your pipeline run.
Optionally, use the EdgeBit’s GitHub app to allow Developers to see a new EdgeBit check on their PRs:
If a PR makes dependency changes and new issues are found, EdgeBit will comment with more information:
Your EdgeBit Console contains reports about each SBOM uploaded and the current state of all vulnerabilities in your software Components.
