From 77f5f4475855f234743f7e7a3619d93433773e4f Mon Sep 17 00:00:00 2001
From: syoul <syoul@librezo.fr>
Date: Tue, 24 Mar 2026 12:12:58 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20sbom-generate=20=E2=80=94=20image=20anch?=
 =?UTF-8?q?ore/syft=20officielle=20+=20versions=20pinn=C3=A9es?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- anchore/syft:v1.42.3 (remplace alpine:3.20 + curl-install latest)
- aquasec/trivy:0.69.3 (remplace :latest)
- Source explicite docker:g1flux:latest pour éviter le bug
  d'auto-détection Syft dans un container Woodpecker

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .woodpecker.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 44d7074..5675906 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -45,20 +45,20 @@ steps:
 
   # Etape 4a : Generation SBOM (Syft) depuis l'image locale
   # NOTE: volumes + pas de from_secret : compatible
+  # Utilise l'image officielle anchore/syft pour eviter le bug d'auto-detection
+  # de container (signal Go imprime en adresse memoire sur alpine + curl install)
   - name: sbom-generate
-    image: alpine:3.20
+    image: anchore/syft:v1.42.3
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     commands:
-      - apk add --no-cache curl
-      - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
       - mkdir -p .reports
-      - syft g1flux:latest -o cyclonedx-json --file .reports/sbom-app.cyclonedx.json
+      - syft packages docker:g1flux:latest -o cyclonedx-json=.reports/sbom-app.cyclonedx.json
       - echo "SBOM genere"
 
   # Etape 4b : Scan CVE (Trivy) depuis le SBOM
   - name: sbom-scan
-    image: aquasec/trivy:latest
+    image: aquasec/trivy:0.69.3
     volumes:
       - /home/syoul/trivy-cache:/root/.cache/trivy
     commands: