feat(buildx): support for attestation and sbom with buildx (#4132)

bentoml · Aug 22, 2023 · a2ead21 · a2ead21
1 parent 89d77d9
commit a2ead21
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/src/bentoml/_internal/container/buildx.py b/src/bentoml/_internal/container/buildx.py
@@ -5,6 +5,8 @@
 import typing as t
 from typing import TYPE_CHECKING
 
+from packaging.version import parse
+
 from .base import Arguments
 from .docker import ENV
 from .docker import find_binary
@@ -37,6 +39,15 @@ def health() -> bool:
     return True
 
 
+def supports_attestation() -> bool:
+    return parse(
+        subprocess.check_output([find_binary(), "buildx", "version"])
+        .decode("utf-8")
+        .strip()
+        .split()[1]
+    ) > parse("0.10.0")
+
+
 def parse_dict_opt(d: dict[str, str]) -> str:
     return ",".join([f"{key}={value}" for key, value in d.items()])
 
@@ -45,6 +56,7 @@ def construct_build_args(
     *,
     context_path: PathType = ".",
     add_host: dict[str, str] | ArgType = None,
+    attest: str | dict[str, str] | ArgType = None,
     build_arg: dict[str, str] | ArgType = None,
     build_context: dict[str, str] | ArgType = None,
     cache_from: str | dict[str, str] | ArgType = None,
@@ -54,6 +66,9 @@ def construct_build_args(
     no_cache_filter: str | dict[str, str] | ArgType = None,
     output: str | dict[str, str] | ArgType = None,
     platform: str | ArgType = None,
+    pull: t.Literal[True, False] = ...,
+    provenance: str | dict[str, str] | ArgType = ...,
+    sbom: str | dict[str, str] | ArgType = ...,
     push: bool = False,
     secret: str | dict[str, str] | ArgType = None,
     ulimit: str | dict[str, tuple[int, int]] | ArgType = None,
@@ -74,6 +89,7 @@ def construct_build_args(
         load, push = False, False
     cmds.construct_args(output, opt="output")
     cmds.construct_args(push, opt="push")
+    cmds.construct_args(pull, opt="pull")
     cmds.construct_args(load, opt="load")
     cmds.construct_args(platform, opt="platform")
 
@@ -106,6 +122,17 @@ def construct_build_args(
         ulimit = tuple(f"{key}={value[0]}:{value[1]}" for key, value in ulimit.items())
     cmds.construct_args(ulimit, opt="ulimit")
 
+    if supports_attestation():
+        if isinstance(attest, dict):
+            attest = parse_dict_opt(attest)
+        cmds.construct_args(attest, opt="attest")
+        if isinstance(provenance, dict):
+            provenance = parse_dict_opt(provenance)
+        cmds.construct_args(provenance, opt="provenance")
+        if isinstance(sbom, dict):
+            sbom = parse_dict_opt(sbom)
+        cmds.construct_args(sbom, opt="sbom")
+
     for k, v in kwargs.items():
         cmds.construct_args(v, opt=k.replace("_", "-"))
 

diff --git a/src/bentoml/container.py b/src/bentoml/container.py
@@ -103,6 +103,7 @@ def build(
     tag: tuple[str] | None = ...,
     context_path: PathType = ...,
     add_host: dict[str, str] | ArgType = ...,
+    attest: str | dict[str, str] | ArgType = ...,
     allow: str | ArgType = ...,
     build_arg: dict[str, str] | ArgType = ...,
     build_context: dict[str, str] | ArgType = ...,
@@ -120,9 +121,11 @@ def build(
     output: str | dict[str, str] | ArgType = ...,
     platform: str | ArgType = ...,
     progress: t.Literal["auto", "tty", "plain"] = "auto",
+    provenance: str | dict[str, str] | ArgType = ...,
     pull: t.Literal[True, False] = ...,
     push: t.Literal[True, False] = ...,
     quiet: t.Literal[True, False] = ...,
+    sbom: str | dict[str, str] | ArgType = ...,
     secret: str | dict[str, str] | ArgType = ...,
     shm_size: int | None = ...,
     ssh: str | ArgType = ...,

diff --git a/src/bentoml_cli/containerize.py b/src/bentoml_cli/containerize.py
@@ -270,6 +270,13 @@ def buildx_options_group(f: F[t.Any]):
             metavar="ENTITLEMENT",
             help="Allow extra privileged entitlement (e.g., ``network.host``, ``security.insecure``).",
         ),
+        optgroup_option(
+            "--attest",
+            equivalent=("opt", "attest=type=sbom,generator=image"),
+            multiple=True,
+            metavar="[NAME|type=TYPE[,KEY=VALUE]]",
+            help="Attestation parameter (e.g., ``type=local,ref=path/to/dir``).",
+        ),
         optgroup_option(
             "--build-context",
             equivalent=("opt", "build-context=project=path/to/project/source"),
@@ -304,6 +311,12 @@ def buildx_options_group(f: F[t.Any]):
             default=False,
             help="Shorthand for ``--output=type=registry``. Note that ``--push`` and ``--load`` are mutually exclusive.",
         ),
+        optgroup_option(
+            "--provenance",
+            equivalent=("opt", "provenance=generator=image"),
+            type=click.STRING,
+            help="Shorthand for ``--attest=type=provenance``.",
+        ),
         optgroup_option(
             "--quiet",
             is_flag=True,
@@ -338,6 +351,12 @@ def buildx_options_group(f: F[t.Any]):
             equivalent=("opt", "metadata-file=/path/to/file"),
             help="Write build result metadata to the file.",
         ),
+        optgroup_option(
+            "--sbom",
+            equivalent=("opt", "sbom=generator=image"),
+            type=click.STRING,
+            help="Shorthand for ``--attest=type=sbom``.",
+        ),
         optgroup_option(
             "--shm-size",
             equivalent=("opt", "shm-size=8192Mb"),