| # ============================================================================= | |
| # SBOM Generation — CycloneDX + SPDX | |
| # ============================================================================= | |
| set -euo pipefail | |
| IMAGE="${1:?Usage: $0 <image>}" | |
| REPORT_DIR="${REPORT_DIR:-./scan-reports}" | |
| mkdir -p "${REPORT_DIR}" | |
| echo "=== Generating SBOM for ${IMAGE} ===" | |
| # SPDX format (via Trivy) | |
| trivy image \ | |
| --format spdx-json \ | |
| --output "${REPORT_DIR}/sbom.spdx.json" \ | |
| "${IMAGE}" | |
| # CycloneDX format (via Syft) | |
| syft "${IMAGE}" \ | |
| -o cyclonedx-json > "${REPORT_DIR}/sbom.cyclonedx.json" | |
| # Vulnerability report attached to SBOM | |
| grype "${IMAGE}" \ | |
| -o json > "${REPORT_DIR}/grype-vulns.json" | |
| echo "=== SBOM generated ===" | |
| echo " SPDX: ${REPORT_DIR}/sbom.spdx.json" | |
| echo " CycloneDX: ${REPORT_DIR}/sbom.cyclonedx.json" | |
| echo " Vulns: ${REPORT_DIR}/grype-vulns.json" | |