introduce build.provenance and sbom support

Signed-off-by: Nicolas De Loof <[email protected]>

Author: ndeloof

cmd/compose/build.go

@@ -34,18 +34,17 @@ import (
 
 type buildOptions struct {
 	*ProjectOptions
-	quiet      bool
-	pull       bool
-	push       bool
-	args       []string
-	noCache    bool
-	memory     cliopts.MemBytes
-	ssh        string
-	builder    string
-	deps       bool
-	print      bool
-	check      bool
-	provenance bool
+	quiet   bool
+	pull    bool
+	push    bool
+	args    []string
+	noCache bool
+	memory  cliopts.MemBytes
+	ssh     string
+	builder string
+	deps    bool
+	print   bool
+	check   bool
 }
 
 func (opts buildOptions) toAPIBuildOptions(services []string) (api.BuildOptions, error) {
@@ -71,20 +70,19 @@ func (opts buildOptions) toAPIBuildOptions(services []string) (api.BuildOptions,
 	}
 
 	return api.BuildOptions{
-		Pull:       opts.pull,
-		Push:       opts.push,
-		Progress:   uiMode,
-		Args:       types.NewMappingWithEquals(opts.args),
-		NoCache:    opts.noCache,
-		Quiet:      opts.quiet,
-		Services:   services,
-		Deps:       opts.deps,
-		Memory:     int64(opts.memory),
-		Print:      opts.print,
-		Check:      opts.check,
-		SSHs:       SSHKeys,
-		Builder:    builderName,
-		Provenance: opts.provenance,
+		Pull:     opts.pull,
+		Push:     opts.push,
+		Progress: uiMode,
+		Args:     types.NewMappingWithEquals(opts.args),
+		NoCache:  opts.noCache,
+		Quiet:    opts.quiet,
+		Services: services,
+		Deps:     opts.deps,
+		Memory:   int64(opts.memory),
+		Print:    opts.print,
+		Check:    opts.check,
+		SSHs:     SSHKeys,
+		Builder:  builderName,
 	}, nil
 }
 
@@ -156,7 +154,7 @@ func runBuild(ctx context.Context, dockerCli command.Cli, backend api.Service, o
 	}
 
 	apiBuildOptions, err := opts.toAPIBuildOptions(services)
-	apiBuildOptions.Provenance = true
+	apiBuildOptions.Attestations = true
 	if err != nil {
 		return err
 	}

go.mod

@@ -181,6 +181,7 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/net v0.39.0 // indirect
 	golang.org/x/oauth2 v0.29.0 // indirect
@@ -212,3 +213,5 @@ exclude (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
 )
+
+replace github.com/compose-spec/compose-go/v2 => github.com/ndeloof/compose-go/v2 v2.0.1-0.20250717155109-944e46375d7a

go.sum

@@ -80,8 +80,6 @@ github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004 h1:lkAMpLVBDaj17e
 github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
-github.com/compose-spec/compose-go/v2 v2.7.1 h1:EUIbuaD0R/J1KA+FbJMNbcS9+jt/CVudbp5iHqUllSs=
-github.com/compose-spec/compose-go/v2 v2.7.1/go.mod h1:TmjkIB9W73fwVxkYY+u2uhMbMUakjiif79DlYgXsyvU=
 github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJHo6Bzo=
 github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins=
 github.com/containerd/console v1.0.5 h1:R0ymNeydRqH2DmakFNdmjR2k0t7UPuiOV/N/27/qqsc=
@@ -361,6 +359,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/ndeloof/compose-go/v2 v2.0.1-0.20250717155109-944e46375d7a h1:xbjZF15DAu3zEwNe0y8gGEUMlIwYzsSl+dHHBWw+KJA=
+github.com/ndeloof/compose-go/v2 v2.0.1-0.20250717155109-944e46375d7a/go.mod h1:veko/VB7URrg/tKz3vmIAQDaz+CGiXH8vZsW79NmAww=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.0 h1:Iw5WCbBcaAAd0fpRb1c9r5YCylv4XDoCSigm1zLevwU=
@@ -539,6 +539,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
 go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=

pkg/api/api.go

@@ -170,8 +170,8 @@ type BuildOptions struct {
 	Print bool
 	// Check let builder validate build configuration
 	Check bool
-	// Provenance
-	Provenance bool
+	// Attestations allows to enable attestations generation
+	Attestations bool
 }
 
 // Apply mutates project according to build options

pkg/compose/build.go

@@ -21,6 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -397,6 +398,7 @@ func resolveAndMergeBuildArgs(dockerCli command.Cli, project *types.Project, ser
 	return result
 }
 
+//nolint:gocyclo
 func (s *composeService) toBuildOptions(project *types.Project, service types.ServiceConfig, options api.BuildOptions) (build.Options, error) {
 	plats, err := parsePlatforms(service)
 	if err != nil {
@@ -471,8 +473,13 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 	}
 
 	attests := map[string]*string{}
-	if !options.Provenance {
-		attests["provenance"] = nil
+	if options.Attestations {
+		if service.Build.Provenance != "" {
+			attests["provenance"] = attestation(service.Build.Provenance, "provenance")
+		}
+		if service.Build.SBOM != "" {
+			attests["sbom"] = attestation(service.Build.SBOM, "sbom")
+		}
 	}
 
 	return build.Options{
@@ -502,6 +509,16 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 	}, nil
 }
 
+func attestation(attest string, val string) *string {
+	if b, err := strconv.ParseBool(val); err == nil {
+		s := fmt.Sprintf("type=%s,disabled=%t", attest, b)
+		return &s
+	} else {
+		s := fmt.Sprintf("type=%s,%s", attest, val)
+		return &s
+	}
+}
+
 func toUlimitOpt(ulimits map[string]*types.UlimitsConfig) *cliopts.UlimitOpt {
 	ref := map[string]*container.Ulimit{}
 	for _, limit := range toUlimits(ulimits) {