Skip to main content

Generate SBOM and enforce policies

You can use the Harness SSCA steps in Harness CI/CD pipelines to generate SBOM and enforce software supply chain security policies.

To generate SBOM in Harness, you need a pipeline with a CI (build) stage, a CD (deploy) stage, or both. For example, the pipeline created in this tutorial has a Build stage with three steps and a Deploy stage with two steps.

The Build stage in this tutorial pipeline has the following three steps:

  • Run step: Build and test an artifact (image).
  • Build and Push an image to Docker Registry step: Build and push the image to a Docker registry.
  • SSCA Orchestration step: Generate the SBOM.

This tutorial explains how to configure the SSCA Orchestration and SSCA Enforcement steps, which generate an SBOM and enforce SSCA policies, respectively.

Generate a key pair

Keys are used to sign and verify attestations.

  1. Use Cosign to generate a public and private key pair
  2. Create two Harness file secrets, one for the private key file and one for the public key file.
  3. Create a Harness text secret to store the password for the private key.

The SSCA steps in your Harness pipelines use the private key to sign attestations and the public key to verify the authenticity of the attestations.

Generate an SBOM

The SSCA Orchestration step does the following:

  • Generates an SBOM in the specified format.
  • Generates and signs an attestation using the provided private key and password.
  • Stores the SBOM in Harness and uploads the .att file to your container registry alongside the image.
  1. Add the SSCA Orchestration step to either the Build or Deploy stage.
    • In a Build stage, add the SSCA Orchestration step after the artifact (image) has been pushed to an artifact repository.
    • In a Deploy stage, add the SSCA Orchestration step before the deployment step.
info

SSCA Orchestration and Enforcement steps in deploy stage can only be used in the container step group

  1. Enter a Name for the step.

  2. For Step Mode, select Generation.

  3. Select the SBOM Tool to use to generate the SBOM, such as Syft.

  4. For SBOM Format, select either SPDX or CycloneDX.

  5. Select Image as the Artifact Type.

  6. For Container Registry, select the Docker Registry connector that is configured for the Docker-compliant container registry where your artifact is stored, such as Docker Hub, Amazon ECR, or GCR.

    If you're using Docker-compliant ECR or GCR repositories, you must configure your Docker Registry connector as a valid artifact source.

  7. For Image, enter the repo path (in your container registry) and tag for the image for which you're generating an SBOM, such as my-docker-repo/my-artifact:latest.

    For Docker-compliant ECR or GRC repositories, provide the full URI for the image, such as 1234567890.dkr.ecr.REGION.amazonaws.com/IMAGE_NAME:TAG

  8. For Private Key, select the Harness file secret containing the private key to use to sign the attestation.

  9. For Password, select the Harness text secret containing the password for the private key.

Create policies

You must create SSCA policies that you want Harness SSCA to enforce. Create SSCA policy files in the Harness File Store.

  1. In your Harness Project, go to File Store under Project Setup. You can also create policies at the Account and Org scopes.
  2. Select New, and then select New File.
  3. Enter a Name, and then select Manifest for File Usage.
  4. Enter the policy definitions in the text editor, and then select Save.

Enforce policies

The SSCA Enforcement step does the following:

  • Verifies the authenticity of the attestation.
  • Applies policies defined in the specified policy file.
  • Records policy violations and shows them on the Artifacts tab on the Execution details page.
  1. Add the SSCA Enforcement step to either the Build or Deploy stage.

    • In a Build stage, add the SSCA Enforcement step after the artifact (image) has been pushed to an artifact repository.
    • In a Deploy stage, add the SSCA Enforcement step before the deployment step.
info

SSCA Orchestration and Enforcement steps in deploy stage can only be used in the container step group

  1. Enter a Name for the step.

  2. Select Image as the Artifact Type.

  3. For Container Registry, select the Docker Registry connector that is configured for the Docker-compliant container registry where your artifact is stored, such as Docker Hub, Amazon ECR, or GCR.

    If you're using Docker-compliant ECR or GCR repositories, you must configure your Docker Registry connector as a valid artifact source.

  4. For Image, enter the repo path (in your container registry) and tag for the relevant image, such as my-docker-repo/my-artifact:latest.

    For Docker-compliant ECR or GRC repositories, provide the full URI for the image, such as 1234567890.dkr.ecr.REGION.amazonaws.com/IMAGE_NAME:TAG.

  5. For Public Key, select the Harness file secret containing the public key to use to verify the authenticity of the attestation.

  6. For File Path, provide the path to your SSCA policy file.

View attestations and violations

When the pipeline runs, the SBOM is generated and the attestation is signed. The signed attestation is stored, as an .att file, in the artifact repository along with the image.

When viewing the Execution details page in Harness, you can view and download the SBOM from the Artifacts tab.

tip

If your pipeline has multiple stages, the Artifacts tab is filtered by stage. Use the dropdown menu to select the relevant stage.

You can also see the number of policy violations in the Violations column on the Artifacts tab.

Select the number to inspect the details of the violations.