HCP SBOM Provisioner

Type: hcp-sbom

The hcp-sbom Packer provisioner downloads the SBOM file from the remote machine and sends it to HCP Packer when the build is complete (only if the template is HCP-enabled). The SBOM file is automatically removed at the end of the process. If the user wants to retain a copy of the SBOM file, they should specify the destination field in the provisioner.

Currently, we support CycloneDX and SPDX SBOM formats in JSON.

TBA: Add more details about max number of files allowed to download, and if we are going to add the file name field.

Basic Example

{
  "type": "hcp-sbom",
  "source": "/tmp/sbom_cyclonedx.json",
  "destination": "./sbom/sbom_cyclonedx.json"
}

provisioner "hcp-sbom" {
  source = "/tmp/sbom_cyclonedx.json"
  destination = "./sbom/sbom_cyclonedx.json"
}

Configuration Reference

Required Parameters:

• source (string) - Source is a required field that specifies the path to the SBOM file that needs to be downloaded. It can be a file path or a URL.

Optional Parameters:

• destination (string) - Destination is an optional field that specifies the path where the SBOM file will be downloaded to for the user. The 'Destination' must be a writable location. If the destination is a file, the SBOM will be saved or overwritten at that path. If the destination is a directory, a file will be created within the directory to store the SBOM. Any parent directories for the destination must already exist and be writable by the provisioning user (generally not root), otherwise, a "Permission Denied" error will occur. If the source path is a file, it is recommended that the destination path be a file as well.

Example Usage

{
  "builders": [
    {
      "type": "docker",
      "image": "ubuntu:20.04",
      "commit": true
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "inline": [
        "apt-get update -y",
        "apt-get install -y curl",
        "bash -c \"$(curl -sSL https://install.mondoo.com/sh)\""
      ]
    },
    {
      "type": "shell",
      "inline": [
        "cnquery sbom --output cyclonedx-json --output-target /tmp/sbom_cyclonedx.json",
        "cnquery sbom --output spdx-json --output-target /tmp/sbom_spdx.json"
      ]
    },
    {
      "type": "hcp-sbom",
      "source": "/tmp/sbom_cyclonedx.json",
      "destination": "./sbom"
    },
    {
      "type": "hcp-sbom",
      "source": "/tmp/sbom_spdx.json",
      "destination": "./sbom/sbom_spdx.json"
    }
  ]
}

packer {
  required_plugins {
    docker = {
      version = ">= 1.0.0"
      source  = "github.com/hashicorp/docker"
    }
  }
}

source "docker" "ubuntu" {
  image  = "ubuntu:20.04"
  commit = true
}

build {
  sources = ["source.docker.ubuntu"]

  hcp_packer_registry {
    bucket_name = "test-bucket"
  }


  provisioner "shell" {
    inline = [
      "apt-get update -y",
      "apt-get install -y curl gpg",
      "bash -c \"$(curl -sSL https://install.mondoo.com/sh)\""
    ]
  }

  provisioner "shell" {
    inline = [
      "cnquery sbom --output cyclonedx-json --output-target /tmp/sbom_cyclonedx.json",
      "cnquery sbom --output spdx-json --output-target /tmp/sbom_spdx.json",
    ]
  }

  provisioner "hcp-sbom" {
    source      = "/tmp/sbom_cyclonedx.json"
    destination = "./sbom"
  }

  provisioner "hcp-sbom" {
    source      = "/tmp/sbom_spdx.json"
    destination = "./sbom/sbom_spdx.json"
  }
}