CLOUDP-315271: Onboard Kundukto to CI

.gitignore

@@ -5,6 +5,7 @@
 *.so
 *.dylib
 bin/**
+compliance/**
 dist/**
 # mac notarization service
 linux_amd64/**

Makefile

@@ -117,7 +117,7 @@ addcopy: ## Add missing license to files
 	@scripts/add-copy.sh
 
 .PHONY: generate
-generate: gen-docs gen-mocks gen-api-commands ## Generate docs, mocks, code, api commands, all auto generated assets
+generate: gen-docs gen-mocks gen-api-commands gen-purls ## Generate docs, mocks, code, api commands, all auto generated assets
 
 .PHONY: apply-overlay
 apply-overlay: ## Apply overlay on openapi spec
@@ -149,6 +149,14 @@ gen-docs: gen-docs-metadata ## Generate docs for atlascli commands
 	@echo "==> Generating docs"
 	go run -ldflags "$(LINKER_FLAGS)" ./tools/cmd/docs
 
+.PHONY: gen-purls
+gen-purls: # Generate purls on linux os
+	@echo "==> Generating purls"
+	GOOS=linux GOARCH=amd64 go build -trimpath -mod=readonly -o bin/atlas-linux ./cmd/atlas
+	go version -m ./bin/atlas-linux | \
+		awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | \
+		LC_ALL=C sort > build/package/purls.txt
+
 .PHONY: build
 build: ## Generate an atlas binary in ./bin
 	@echo "==> Building $(ATLAS_BINARY_NAME) binary"

build/ci/check-purls.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+if ! git diff --quiet --exit-code build/package/purls.txt; then
+    echo "build/package/purls.txt is out of date. Please run 'make gen-purls' and commit the result."
+    git --no-pager diff build/package/purls.txt
+    exit 1
+fi

build/ci/evergreen.yml

@@ -533,6 +533,21 @@ functions:
         binary: make
         args:
           - otel
+  "check purls":
+    - command: subprocess.exec
+      type: test
+      params:
+        <<: *go_options
+        binary: make
+        args: 
+        - gen-purls
+    - command: subprocess.exec
+      params:
+        <<: *go_options
+        include_expansions_in_env:
+          - workdir
+        binary: build/ci/check-purls.sh
+
 tasks:
   - name: compile
     tags: ["code_health"]
@@ -1726,6 +1741,10 @@ tasks:
         vars:
           span: "coverage"
           attr: "total=${percentage},count=${count}"
+  - name: check_purls
+    tags: ["code_health"]
+    commands:
+      - func: "check purls"
   - name: snyk_monitor
     tags:
     - snyk

build/ci/release.yml

@@ -70,6 +70,48 @@ functions:
       params:
         <<: *go_options
         binary: build/package/generate-notices.sh
+  "generate sbom":  
+    - command: ec2.assume_role
+      params:
+        role_arn: ${ecr_role_arn}
+    - command: subprocess.exec
+      params:
+        <<: *go_options
+        include_expansions_in_env:
+          - AWS_ACCESS_KEY_ID
+          - AWS_SECRET_ACCESS_KEY
+          - AWS_SESSION_TOKEN
+          - workdir
+        binary: build/package/generate-sbom.sh 
+  "run silkbomb": 
+    - command: ec2.assume_role
+      params:
+        role_arn: ${kondukto_role_arn}
+    - command: shell.exec
+      params:
+        silent: true
+        shell: bash
+        include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
+        script: |
+          set -e
+          kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
+          echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/kondukto_credentials.env
+    - command: shell.exec
+      params:
+        shell: bash
+        script: |
+          docker run \
+          --pull=always \
+          --platform="linux/amd64" \
+          --rm \
+          --env-file ${workdir}/kondukto_credentials.env \
+          -v ${workdir}:/workdir \
+          901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
+          upload \
+          --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/compliance/sbom.json \
+          --repo mongodb_mongodb-atlas-cli  \
+          --branch ${branch_name}  
+          rm ${workdir}/kondukto_credentials.env
   "package":
     - command: github.generate_token
       params:
@@ -317,6 +359,10 @@ tasks:
           permissions: public-read
           content_type: ${content_type|application/octet-stream}
           display_name: unsigned
+  - name: generate_and_upload_sbom
+    commands:  
+      - func: "generate sbom"
+      - func: "run silkbomb"
   - name: package_goreleaser
     tags: ["packaging"]
     depends_on:
@@ -528,6 +574,8 @@ buildvariants:
         depends_on:
           - name: package_msi
             variant: "go_atlascli_msi_snapshot"
+          - name: generate_and_upload_sbom
+            variant: ssdlc
   - name: publish_atlascli_snapshot
     display_name: "Publish AtlasCLI Snapshot"
     run_on:
@@ -553,6 +601,8 @@ buildvariants:
         depends_on:
           - name: package_msi
             variant: release_atlascli_msi
+          - name: generate_and_upload_sbom
+            variant: ssdlc
   - name: copybara
     display_name: "Copybara"
     git_tag_only: true
@@ -605,3 +655,11 @@ buildvariants:
       - ubuntu2004-small
     tasks:
       - name: .smoke-test .generate .repo .atlascli
+  - name: ssdlc
+    display_name: Compliance [ssdlc]
+    run_on:
+      - ubuntu2204-small
+    expansions:
+      <<: *go_linux_version
+    tasks:
+      - name: generate_and_upload_sbom

build/package/.goreleaser.yml

@@ -142,4 +142,5 @@ release:
   name_template: "MongoDB Atlas CLI {{.Version}}"
   extra_files:
     - glob: ./bin/*.msi
-version: 2
+    - glob: compliance/**/*
+version: 2

build/package/generate-sbom.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+export WORKDIR=${workdir:?}
+
+# Authenticate Docker to AWS ECR
+aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com
+
+echo "Generating SBOMs..."
+docker run --rm \
+  -v "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \
+  901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
+  update \
+  --purls /pwd/build/package/purls.txt \
+  --sbom-out /pwd/sbom.json
+

build/package/purls.txt

@@ -0,0 +1,122 @@
+pkg:golang/cloud.google.com/go/auth/[email protected]
+pkg:golang/cloud.google.com/go/[email protected]
+pkg:golang/cloud.google.com/go/compute/[email protected]
+pkg:golang/cloud.google.com/go/[email protected]
+pkg:golang/cloud.google.com/go/[email protected]
+pkg:golang/cloud.google.com/go/[email protected]
+pkg:golang/github.com/AlecAivazis/survey/[email protected]
+pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/[email protected]
+pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/[email protected]
+pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/[email protected]
+pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/[email protected]
+pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/[email protected]
+pkg:golang/github.com/AzureAD/[email protected]
+pkg:golang/github.com/Masterminds/semver/[email protected]
+pkg:golang/github.com/PaesslerAG/[email protected]
+pkg:golang/github.com/PaesslerAG/[email protected]
+pkg:golang/github.com/ProtonMail/[email protected]
+pkg:golang/github.com/STARRY-S/[email protected]
+pkg:golang/github.com/andybalholm/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/feature/ec2/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/internal/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/internal/endpoints/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/internal/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/service/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/service/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/service/[email protected]
+pkg:golang/github.com/aws/aws-sdk-go-v2/service/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/bodgit/[email protected]
+pkg:golang/github.com/bodgit/[email protected]
+pkg:golang/github.com/bodgit/[email protected]
+pkg:golang/github.com/briandowns/[email protected]
+pkg:golang/github.com/cloudflare/[email protected]
+pkg:golang/github.com/denisbrodbeck/[email protected]
+pkg:golang/github.com/dsnet/[email protected]
+pkg:golang/github.com/fatih/[email protected]
+pkg:golang/github.com/felixge/[email protected]
+pkg:golang/github.com/fsnotify/[email protected]
+pkg:golang/github.com/go-logr/[email protected]
+pkg:golang/github.com/go-logr/[email protected]
+pkg:golang/github.com/go-viper/mapstructure/[email protected]
+pkg:golang/github.com/golang-jwt/jwt/[email protected]
+pkg:golang/github.com/golang/[email protected]
+pkg:golang/github.com/golang/[email protected]
+pkg:golang/github.com/google/go-github/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/googleapis/[email protected]
+pkg:golang/github.com/googleapis/gax-go/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/[email protected]
+pkg:golang/github.com/hashicorp/golang-lru/[email protected]
+pkg:golang/github.com/iancoleman/[email protected]
+pkg:golang/github.com/kballard/[email protected]
+pkg:golang/github.com/klauspost/[email protected]
+pkg:golang/github.com/klauspost/[email protected]
+pkg:golang/github.com/kylelemons/[email protected]
+pkg:golang/github.com/mattn/[email protected]
+pkg:golang/github.com/mattn/[email protected]
+pkg:golang/github.com/mgutz/[email protected]
+pkg:golang/github.com/mholt/[email protected]
+pkg:golang/github.com/minio/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/montanaflynn/[email protected]
+pkg:golang/github.com/nwaples/rardecode/[email protected]
+pkg:golang/github.com/pelletier/go-toml/[email protected]
+pkg:golang/github.com/pelletier/[email protected]
+pkg:golang/github.com/pierrec/lz4/[email protected]
+pkg:golang/github.com/pkg/[email protected]
+pkg:golang/github.com/sagikazarmark/[email protected]
+pkg:golang/github.com/shirou/gopsutil/[email protected]
+pkg:golang/github.com/sorairolake/[email protected]
+pkg:golang/github.com/sourcegraph/[email protected]
+pkg:golang/github.com/spf13/[email protected]
+pkg:golang/github.com/spf13/[email protected]
+pkg:golang/github.com/spf13/[email protected]
+pkg:golang/github.com/spf13/[email protected]
+pkg:golang/github.com/spf13/[email protected]
+pkg:golang/github.com/subosito/[email protected]
+pkg:golang/github.com/tangzero/[email protected]
+pkg:golang/github.com/therootcompany/[email protected]
+pkg:golang/github.com/tklauser/[email protected]
+pkg:golang/github.com/tklauser/[email protected]
+pkg:golang/github.com/ulikunitz/[email protected]
+pkg:golang/github.com/xdg-go/[email protected]
+pkg:golang/github.com/xdg-go/[email protected]
+pkg:golang/github.com/xdg-go/[email protected]
+pkg:golang/github.com/youmark/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/go.opentelemetry.io/auto/[email protected]
+pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]
+pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]
+pkg:golang/go.opentelemetry.io/otel/[email protected]
+pkg:golang/go.opentelemetry.io/otel/[email protected]
+pkg:golang/go.opentelemetry.io/[email protected]
+pkg:golang/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/google.golang.org/[email protected]
+pkg:golang/google.golang.org/genproto/googleapis/[email protected]
+pkg:golang/google.golang.org/genproto/googleapis/[email protected]
+pkg:golang/google.golang.org/[email protected]
+pkg:golang/google.golang.org/[email protected]
+pkg:golang/google.golang.org/[email protected]
+pkg:golang/gopkg.in/[email protected]

scripts/pre-commit.sh

@@ -39,6 +39,13 @@ if [[ -n "${STAGED_GO_FILES}" ]]; then
     git add docs
 fi
 
+STAGED_GO_MOD_FILES=$(git diff --cached --name-only | grep -E "^go\.(mod|sum)$" || true)
+
+if [[ -n "${STAGED_GO_MOD_FILES}" ]]; then
+    make gen-purls > /dev/null
+    git add build/package/purls.txt
+fi
+
 STAGED_EVG_FILES=$(git diff --cached --name-only | grep "evergreen.yml$")
 
 for FILE in ${STAGED_EVG_FILES}