This topic explains how to configure a pipeline to ingest SBOM generated by an STO scanner step. It uses the Blackduck STO step as an example.
Generate a key pair
Keys are used to sign and verify attestations.
- Generate a public and private key pair. For example, you can use Cosign to generate key pairs.
- Create two Harness file secrets, one for the private key file and one for the public key file.
- Create a Harness text secret to store the password for the private key.
Configure the STO scan step to generate SBOM
Configure an STO scanner step, such as the Blackduck STO step, and make sure you select Generate SBOM and the SBOM Format.
Get the SBOM file path
The Blackduck STO step creates a
JOB_ID output variable that you can use to reference the SBOM file path in the SSCA Orchestration step.
STEP_IDin the following Harness expression with the stage ID and step ID for your Blackduck STO step.
Use the expression in your SBOM file path. The exact path depends on where your scanner outputs SBOM files. For example, this filepath references a Blackduck STO step with the ID
myblackduckstepin a stage with the ID
Alternately, you can get the output path and output variable expression from a previous run of the same pipeline. To do this, go to the execution details page, select the stage with the STO scanner step, and then select the STO scanner step. In the step's logs, you can find the output path, and you can get the output variable from the Output tab.
Configure the SSCA Orchestration step
Add an SSCA Orchestration step configured to ingest the SBOM.
- Set the Step Mode to Ingestion.
- For SBOM File Path, enter the SBOM file path that uses the
JOB_IDvalue, as explained in Get the SBOM file path.
- For Container Registry, select the Docker Registry connector that is configured for the Docker-compliant container registry where you stored the artifact associated with the SBOM, such as Docker Hub, Amazon ECR, or GCR.
- For Image, enter the repo path (in your container registry) and tag for the image associated with the SBOM, such as
- Private Key: The Harness file secret containing the private key to use to sign the attestation.
- Password: The Harness text secret containing the password for the private key.
If you're using Docker-compliant ECR or GCR repositories, you must: