CLOUDP-327368/ssdlc-reports (#105)

* feat: generate ssdlc reports as part of release

* feat: manual workflow for SBOMs and SSDLC report

* chore: remove redundant code

Author: andrpac

.github/workflows/generate-ssdlc-report.yml

@@ -0,0 +1,114 @@
+name: Create SBOMs and SSDLC report PR
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        type: string
+        description: "Version of the release to extract the SBOM and obtain SSDLC report"
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  sboms:
+    name: Create SBOMs and SSDLC compliance reports as workflow artifacts
+    runs-on: ubuntu-latest
+    env:
+      VERSION: ${{ github.event.inputs.version }}
+
+    steps:
+      - name: Install tools (podman)
+        run: |
+          sudo apt update
+          sudo apt install -y podman unzip
+
+      - name: Checkout code
+        uses: actions/checkout@v4.1.1
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Download all plugin binaries
+        run: |
+          BASE_URL="https://github.com/mongodb/atlas-cli-plugin-kubernetes/releases/download/v${VERSION}"
+          curl -L "${BASE_URL}/atlas-cli-plugin-kubernetes_${VERSION}_linux_arm64.tar.gz" -o "linux_arm64.tar.gz"
+          curl -L "${BASE_URL}/atlas-cli-plugin-kubernetes_${VERSION}_darwin_arm64.zip" -o "darwin_arm64.zip"
+          curl -L "${BASE_URL}/atlas-cli-plugin-kubernetes_${VERSION}_windows_x86_64.zip" -o "windows_x86_64.zip"
+
+      - name: Extract all binaries
+        run: |
+          mkdir -p extracted/linux_arm64
+          mkdir -p extracted/darwin_arm64
+          mkdir -p extracted/windows_x86_64
+
+          # Extract and move Linux ARM64 binary
+          tar -xzf linux_arm64.tar.gz
+          mv atlas-cli-plugin-kubernetes_*_linux_arm64/atlas-cli-plugin-kubernetes extracted/linux_arm64/
+
+          # Extract macOS and Windows into their dirs
+          unzip -o darwin_arm64.zip -d extracted/darwin_arm64
+          unzip -o windows_x86_64.zip -d extracted/windows_x86_64
+
+      - name: Generate PURLs from all binaries
+        run: |
+          mkdir -p build/package
+
+          binaries=(
+            "extracted/linux_arm64/atlas-cli-plugin-kubernetes"
+            "extracted/darwin_arm64/atlas-cli-plugin-kubernetes"
+            "extracted/windows_x86_64/atlas-cli-plugin-kubernetes.exe"
+          )
+
+          tmp_files=()
+
+          for bin in "${binaries[@]}"; do
+            if [[ -f "$bin" ]]; then
+              echo "==> Extracting from $bin"
+              tmp_file=$(mktemp)
+              go version -m "$bin" | \
+                awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+                LC_ALL=C sort > "$tmp_file"
+              tmp_files+=("$tmp_file")
+            else
+              echo "==> Skipping missing binary: $bin"
+            fi
+          done
+
+          cat "${tmp_files[@]}" | LC_ALL=C sort | uniq > build/package/purls.txt
+          echo "==> Final purls.txt:"
+          cat build/package/purls.txt
+
+      - name: Fetch Silkbomb image
+        run: |
+          set -e
+          podman pull "${{ secrets.silkbomb_image }}"
+
+      - name: Generate SBOM
+        env:
+          SILKBOMB_PURLS_FILE: "./build/package/purls.txt"
+          SILKBOMB_SBOM_FILE: "./build/package/sbom.json"
+          SILKBOMB_IMAGE: ${{ secrets.silkbomb_image }}
+        run: build/package/generate-sbom.sh
+
+      - name: Generate SSDLC report
+        env:
+          AUTHOR: ${{ github.actor }}
+          VERSION: ${{ env.VERSION }}
+        run: |
+            build/package/generate-ssdlc-report.sh
+
+      - name: Upload SBOM as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: build/package/sbom.json
+    
+      - name: Upload SSDLC report as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ssdlc-compliance-report.md
+          path: ssdlc-compliance-report.md

.gitignore

@@ -31,6 +31,7 @@ gon_arm64.json
 *.xml
 sbom.json
 augmented-sbom.json
+ssdlc-compliance-report.md
 
 # We don't want to commit env variables
 *.env

build/ci/release.yml

@@ -143,6 +143,12 @@ functions:
           mv ./build/package/sbom.json sbom.json
           mv ./build/package/augmented-sbom.json augmented-sbom.json
           echo "Moved SBOMs to repository root."
+  "generate ssdlc report":
+    - command: subprocess.exec
+      type: test
+      params:
+        working_dir: src/github.com/mongodb/atlas-cli-plugin-kubernetes
+        binary: build/package/generate-ssdlc-report.sh
   "package":
     - command: github.generate_token
       params:
@@ -241,6 +247,14 @@ tasks:
       - func: "generate sbom"
       - func: "upload sbom"
       - func: "move sboms"
+  - name: test-ssdlc-report
+    tags: ["code_health"]
+    allowed_requesters: ["patch"]
+    depends_on:
+    - name: test-sbom
+      tags: "success"
+    commands:
+    - func: "generate ssdlc report"
   - name: test-trace
     tags: ["code_health"]
     allowed_requesters: ["patch"]
@@ -266,8 +280,9 @@ tasks:
     commands:
       - func: "generate sbom"
       - func: "upload sbom"
-      - func: "generate notices"
       - func: "move sboms"
+      - func: "generate ssdlc report"
+      - func: "generate notices"
       - func: "install goreleaser"
       - func: "install macos notarization service"
       - func: "install gh-token"

build/package/.goreleaser.yml

@@ -93,3 +93,4 @@ release:
     - glob: ./*.asc
     - glob: ./sbom.json
     - glob: ./augmented-sbom.json
+    - glob: ./ssdlc-compliance-report.md

build/package/generate-ssdlc-report.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+: "${AUTHOR:=$(git config user.name)}"
+: "${VERSION:=$(git tag --list 'atlas-cli-plugin-kubernetes/v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)}"
+: "${DATE:=$(date -u '+%Y-%m-%d')}"
+
+export AUTHOR VERSION DATE
+
+REPORT_OUT="${REPORT_OUT:-ssdlc-compliance-report.md}"
+echo "Generating SSDLC checklist for atlas-cli-plugin version ${VERSION}, author ${AUTHOR}, release date ${DATE}..."
+echo "Report will be part of the release: ${REPORT_OUT}"
+
+# Render the template with environment variable substitution
+envsubst < docs/releases/ssdlc-compliance.template.md > "${REPORT_OUT}"

docs/releases/ssdlc-compliance.template.md

@@ -0,0 +1,28 @@
+SSDLC Compliance Report: Atlas CLI Plugin Kubernetes v${VERSION}
+=================================================================
+
+- **Release Creator:** ${AUTHOR}
+- **Created On:**      ${DATE}
+
+## Overview
+
+- **Product Name and Version**
+  - Atlas CLI Plugin Kubernetes v${VERSION}, generated on ${DATE}.
+
+- **Process Documentation**
+  - [How MongoDB Protects Against Supply Chain Vulnerabilities](https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities)
+
+- **Dependency Information**
+  - The Software Bill of Materials (SBOM) is:
+    - a) part of this release as `sbom.json` and `augmented-sbom.json` with vulnerabilities found from Kondukto  
+    - b) part of the released artifacts from the on-demand workflow as `sbom.json`
+
+- **Security Testing Report**
+  - Available on request from the Cloud Security team.
+
+- **Security Assessment Report**
+  - Available on request from the Cloud Security team.
+
+## Assumptions and Attestations
+
+- Internal processes are in place to ensure CVEs are identified and mitigated within established SLAs.