From 42b3d285055fbfb6a1f81fa0f46b967460cd5f62 Mon Sep 17 00:00:00 2001
From: syoul <syoul@librezo.fr>
Date: Thu, 19 Mar 2026 19:04:20 +0100
Subject: [PATCH] feat: integrer SBOM dans la pipeline CI

- sbom-generate: Syft scanne l'image Docker buildee (radar-business)
- sbom-scan: Trivy CVE depuis le SBOM (cache /home/syoul/trivy-cache)
- sbom-publish: envoi vers Dependency-Track (dtrack.syoul.fr)
Nouveau secret requis: dependency_track_token

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .woodpecker.yml | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index dba17d8..5471994 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -79,7 +79,54 @@ steps:
         docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
         echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"
 
-  # Etape 3 : Healthcheck post-deploiement
+  # Etape 3a : Generation SBOM (Syft) — inventaire de l'image Docker buildee
+  # NOTE: volumes: et from_secret incompatibles dans le meme step — pas de secrets ici
+  - name: sbom-generate
+    image: alpine:3.20
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      - apk add --no-cache curl
+      - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
+      - mkdir -p .reports
+      - |
+        PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
+        IMAGE="${PROJECT}-radar-business"
+        echo "SBOM sur image: $IMAGE"
+        syft "$IMAGE" -o cyclonedx-json --file .reports/sbom-radar.cyclonedx.json
+      - echo "SBOM genere $(wc -c < .reports/sbom-radar.cyclonedx.json) octets"
+
+  # Etape 3b : Scan CVE (Trivy) depuis le SBOM Syft
+  # Cache /home/syoul/trivy-cache evite ~200Mo de telechargement des DB CVE a chaque build
+  # Prerequis sur sonic : mkdir -p /home/syoul/trivy-cache
+  - name: sbom-scan
+    image: aquasec/trivy:latest
+    volumes:
+      - /home/syoul/trivy-cache:/root/.cache/trivy
+    commands:
+      - trivy sbom --format json --output .reports/trivy-radar.json .reports/sbom-radar.cyclonedx.json
+      - echo "Scan CVE termine"
+
+  # Etape 3c : Publication SBOM vers Dependency-Track (dtrack.syoul.fr)
+  # NOTE: from_secret et volumes: incompatibles — pas de volumes ici
+  - name: sbom-publish
+    image: alpine/curl:latest
+    environment:
+      DTRACK_TOKEN:
+        from_secret: dependency_track_token
+    commands:
+      - |
+        VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
+        HTTP=$(curl -s -o /tmp/dtrack-response.txt -w "%{http_code}" -X POST "https://dtrack.syoul.fr/api/v1/bom" \
+          -H "X-Api-Key: $DTRACK_TOKEN" \
+          -F "autoCreate=true" \
+          -F "projectName=techradardev-app" \
+          -F "projectVersion=$VERSION" \
+          -F "bom=@.reports/sbom-radar.cyclonedx.json")
+        echo "HTTP $HTTP : $(cat /tmp/dtrack-response.txt)"
+        [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1
+
+  # Etape 4 : Healthcheck post-deploiement
   - name: healthcheck
     image: alpine:3.20
     commands: