Ingest SBOM from Aqua Trivy into SSCA

Harness SSCA can ingest SBOM generated from STO scanner steps, such as the Aqua Trivy STO step, if the resulting SBOM is in JSON SPDX or CycloneDx format.

This topic explains how to configure a pipeline to ingest SBOM generated by an Aqua Trivy STO scanner step.

You can also generate SBOM using built-in SBOM tools or ingest SBOM from any SBOM tool.

Generate a key pair

Keys are used to sign and verify attestations.

1. Generate a public and private key pair. For example, you can use Cosign to generate key pairs.
2. Create two Harness file secrets, one for the private key file and one for the public key file.
3. Create a Harness text secret to store the password for the private key.

Configure the STO scan step to generate SBOM

Configure an STO scanner step, such as the Aqua Trivy STO step, and make sure you select Generate SBOM and the SBOM Format.

Get the SBOM file path

The Aqua Trivy STO step creates a JOB_ID output variable that you can use to reference the SBOM file path in the SSCA Orchestration step.

1. Replace STAGE_ID and STEP_ID in the following Harness expression with the stage ID and step ID for your Aqua Trivy STO step.

   <+pipeline.stages.STAGE_ID.spec.execution.steps.STEP_ID.output.outputVariables.JOB_ID>

2. Use the expression in your SBOM file path. The exact path depends on where your scanner outputs SBOM files. For example, this filepath references an Aqua Trivy STO step with the ID myaquatrivystep in a stage with the ID mybuildstage:

   /addon/results/<+pipeline.stages.mybuildstage.spec.execution.steps.myaquatrivystep.output.outputVariables.JOB_ID>.sbom

tip

Alternately, you can get the output path and output variable expression from a previous run of the same pipeline. To do this, go to the execution details page, select the stage with the STO scanner step, and then select the STO scanner step. In the step's logs, you can find the output path, and you can get the output variable from the Output tab.

Configure the SSCA Orchestration step

Add an SSCA Orchestration step configured to ingest the SBOM.

• Set the Step Mode to Ingestion.
• For SBOM File Path, enter the SBOM file path that uses the JOB_ID value, as explained in Get the SBOM file path.
• For Container Registry, select the Docker Registry connector that is configured for the Docker-compliant container registry where you stored the artifact associated with the SBOM, such as Docker Hub, Amazon ECR, or GCR.
• For Image, enter the repo path (in your container registry) and tag for the image associated with the SBOM, such as my-docker-repo/my-artifact:latest.
• Private Key: The Harness file secret containing the private key to use to sign the attestation.
• Password: The Harness text secret containing the password for the private key.

ECR and GCR repos

If you're using Docker-compliant ECR or GCR repositories, you must:

1. Configure your Docker Registry connector as a valid artifact source.
   • For ECR, go to Use Docker Registry for ECR.
   • For GCR, go to Use Docker Registry for GCR
2. Use the full URI for the Image in your SSCA Orchestration step, such as 1234567890.dkr.ecr.REGION.amazonaws.com/IMAGE_NAME:TAG.