feat: fetch SPDX SBOM on container creation

dorser · dorser · commit 54141ff6b960 · 2026-02-25T16:00:24.000+02:00
Signed-off-by: Dor Serero &lt;dor.serero@gmail.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -55,6 +55,7 @@ RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build \
 
 # Build the image
 FROM scratch
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /micromize /micromize
 
 # Access to kernel debug filesystem (tracefs)
diff --git a/charts/micromize/templates/daemonset.yaml b/charts/micromize/templates/daemonset.yaml
@@ -63,6 +63,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            {{- if .Values.registryAuth.existingSecret }}
+            - name: DOCKER_CONFIG
+              value: /etc/docker-registry
+            {{- end }}
           volumeMounts:
             # Required for pinning BPF maps.
             - mountPath: /sys/fs/bpf
@@ -86,6 +90,11 @@ spec:
             # Required for container level enrichment.
             - mountPath: /host/usr
               name: host-usr
+            {{- if .Values.registryAuth.existingSecret }}
+            - mountPath: /etc/docker-registry
+              name: registry-auth
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       volumes:
@@ -110,6 +119,14 @@ spec:
         - name: host-usr
           hostPath:
             path: /usr
+        {{- if .Values.registryAuth.existingSecret }}
+        - name: registry-auth
+          secret:
+            secretName: {{ .Values.registryAuth.existingSecret }}
+            items:
+              - key: .dockerconfigjson
+                path: config.json
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/micromize/values.schema.json b/charts/micromize/values.schema.json
@@ -88,6 +88,15 @@
     },
     "podAnnotations": {
       "type": "object"
+    },
+    "registryAuth": {
+      "type": "object",
+      "properties": {
+        "existingSecret": {
+          "type": "string",
+          "description": "Name of an existing Kubernetes secret of type kubernetes.io/dockerconfigjson for private registry authentication"
+        }
+      }
     }
   }
 }
diff --git a/charts/micromize/values.yaml b/charts/micromize/values.yaml
@@ -43,3 +43,10 @@ serviceAccount:
 
 podAnnotations: {}
 
+# Registry authentication for SBOM fetching from private registries.
+# Provide the name of an existing Kubernetes secret of type
+# kubernetes.io/dockerconfigjson. The secret will be mounted and used
+# to authenticate when pulling SBOMs from private registries.
+registryAuth:
+  existingSecret: ""
+
diff --git a/internal/operators/operators.go b/internal/operators/operators.go
@@ -15,9 +15,11 @@
 package operators
 
 import (
+	"context"
 	"fmt"
 	"log/slog"
 	"math"
+	"time"
 
 	"github.com/inspektor-gadget/inspektor-gadget/pkg/datasource"
 	igoperators "github.com/inspektor-gadget/inspektor-gadget/pkg/operators"
@@ -27,6 +29,8 @@ import (
 	ocihandler "github.com/inspektor-gadget/inspektor-gadget/pkg/operators/oci-handler"
 	"github.com/inspektor-gadget/inspektor-gadget/pkg/operators/simple"
 	"github.com/inspektor-gadget/inspektor-gadget/pkg/utils/host"
+
+	"github.com/micromize-dev/micromize/internal/sbom"
 )
 
 // DataOperator is an alias for igoperators.DataOperator to avoid direct dependency in main
@@ -60,10 +64,12 @@ func NewCLIOperator() igoperators.DataOperator {
 func NewImaOperator() igoperators.DataOperator {
 	slog.Debug("Creating IMA operator")
 	opPriority := math.MaxInt
+	sbomFetcher := sbom.NewFetcher()
 
 	operatorOptions := []simple.Option{
 		simple.WithPriority(opPriority),
 		simple.OnInit(func(gadgetCtx igoperators.GadgetContext) error {
+			ctx := gadgetCtx.Context()
 			containersDatasource := gadgetCtx.GetDataSources()["containers"]
 			if containersDatasource == nil {
 				slog.Debug("IMA Operator: containers datasource not available, skipping")
@@ -75,14 +81,20 @@ func NewImaOperator() igoperators.DataOperator {
 				return fmt.Errorf("containers datasource missing event_type field")
 			}
 
+			containerConfigField := containersDatasource.GetField("container_config")
+			if containerConfigField == nil {
+				return fmt.Errorf("containers datasource missing container_config field")
+			}
+
+			containerIDField := containersDatasource.GetField("container_id")
+
 			if err := containersDatasource.Subscribe(func(source datasource.DataSource, data datasource.Data) error {
 				eventType, err := eventTypeField.String(data)
 				if err != nil {
 					return fmt.Errorf("getting event_type value: %w", err)
 				}
-
 				if eventType == "CREATED" {
-					slog.Info("IMA Operator: Container created event received")
+					handleContainerCreated(ctx, sbomFetcher, containerConfigField, containerIDField, data)
 				}
 				return nil
 			}, opPriority); err != nil {
@@ -93,3 +105,47 @@ func NewImaOperator() igoperators.DataOperator {
 	}
 	return simple.New("imaOperator", operatorOptions...)
 }
+
+func handleContainerCreated(ctx context.Context, fetcher *sbom.Fetcher, configField datasource.FieldAccessor, containerIDField datasource.FieldAccessor, data datasource.Data) {
+	ociConfig, err := configField.String(data)
+	if err != nil {
+		slog.Debug("Failed to read container_config field", "error", err)
+		return
+	}
+
+	imageRef, err := sbom.ImageRefFromOCIConfig(ociConfig)
+	if err != nil {
+		slog.Debug("Failed to parse OCI config", "error", err)
+		return
+	}
+
+	// Fallback: read image ref from Docker's config.v2.json when
+	// OCI annotations don't contain the image name (plain Docker).
+	if imageRef == "" && containerIDField != nil {
+		containerID, _ := containerIDField.String(data)
+		imageRef = sbom.ImageRefFromDockerConfig(containerID)
+	}
+
+	imageRef = sbom.NormalizeImageRef(imageRef)
+
+	fetchCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	sbomData, err := fetcher.FetchForImage(fetchCtx, imageRef)
+	if err != nil {
+		slog.Error("Failed to fetch SBOM", "error", err)
+		return
+	}
+	if sbomData != nil {
+		slog.Info("SBOM fetched for container image", "image", imageRef, "size", len(sbomData))
+
+		files, err := sbom.ParseFiles(sbomData)
+		if err != nil {
+			slog.Error("Failed to parse SBOM files", "error", err)
+			return
+		}
+		for _, f := range files {
+			slog.Info("SBOM binary file", "image", imageRef, "file", f.FileName, "sha256", f.SHA256)
+		}
+	}
+}
diff --git a/internal/sbom/sbom.go b/internal/sbom/sbom.go
diff --git a/internal/sbom/sbom_test.go b/internal/sbom/sbom_test.go

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,15 @@`
`88`	`88`	`},`
`89`	`89`	`"podAnnotations": {`
`90`	`90`	`"type": "object"`
	`91`	`+ },`
	`92`	`+ "registryAuth": {`
	`93`	`+ "type": "object",`
	`94`	`+ "properties": {`
	`95`	`+ "existingSecret": {`
	`96`	`+ "type": "string",`
	`97`	`+ "description": "Name of an existing Kubernetes secret of type kubernetes.io/dockerconfigjson for private registry authentication"`
	`98`	`+ }`
	`99`	`+ }`
`91`	`100`	`}`
`92`	`101`	`}`
`93`	`102`	`}`