From e11617a1e1698cf096e1bd6d7254da72c543b92b Mon Sep 17 00:00:00 2001
From: syoul <syoul@librezo.fr>
Date: Thu, 19 Mar 2026 16:53:24 +0100
Subject: [PATCH] fix: sbom-generate utilise alpine + install syft (image
 distroless sans shell)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .woodpecker.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 9079e47..96cfb98 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -38,10 +38,12 @@ steps:
   # Etape 2b : Generation SBOM (Syft) — inventaire des composants des images Docker
   # NOTE: volumes: et from_secret incompatibles dans le meme step — pas de secrets ici
   - name: sbom-generate
-    image: anchore/syft:latest
+    image: alpine:3.20
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     commands:
+      - apk add --no-cache curl
+      - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
       - mkdir -p .reports
       - syft prestashop/prestashop:8-apache -o cyclonedx-json --file .reports/sbom-prestashop.cyclonedx.json
       - syft mariadb:10.11 -o cyclonedx-json --file .reports/sbom-mariadb.cyclonedx.json