Add CycloneDX SBOM generation for staging images

[OM-JADHAV25]

Proposed change

Resolves #3775

This PR adds CycloneDX SBOM generation for staging Docker images as part of the existing scan-staging-images job.

SBOMs are generated in CycloneDX (JSON) format using Trivy for both backend and frontend staging images and uploaded as CI artifacts.
SBOM generation is intentionally non-blocking to avoid disrupting the existing CI/CD pipeline, while still providing supply chain visibility.

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Add CycloneDX SBOM generation Makefile targets for backend and frontend images, add CI steps in scan-staging-images to run those targets and upload backend-sbom.cdx.json and frontend-sbom.cdx.json as a staging-sboms artifact, and add cdx, cyclonedx, and sbom to the cspell dictionary.

Changes

Cohort / File(s)	Summary
CI/CD Workflow .github/workflows/run-ci-cd.yaml	In scan-staging-images, added steps to run sbom-backend-image and sbom-frontend-image (produce backend-sbom.cdx.json and frontend-sbom.cdx.json, continue-on-error) and upload both as the staging-sboms artifact with if: always().
Backend Makefile backend/Makefile	Added .PHONY: sbom-backend-image and a sbom-backend-image target that may build the local image and runs a Trivy-based container to generate a CycloneDX SBOM (backend-sbom.cdx.json) from BACKEND_IMAGE_NAME.
Frontend Makefile frontend/Makefile	Added .PHONY: sbom-frontend-image and a sbom-frontend-image target that may build the local image and runs a Trivy-based container to generate a CycloneDX SBOM (frontend-sbom.cdx.json) from FRONTEND_IMAGE_NAME.
Spell Check Dictionary cspell/custom-dict.txt	Added entries: cdx, cyclonedx, and sbom.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Added Trivy scan in CI/CD pipeline #1208: Modifies the CI workflow to add Trivy-based image scan steps (touches the same scan job and tools).
• CI security: Enforce Trivy image scan failures for staging and production #3308: Changes Trivy image-scan failure handling within the same scan-staging-images workflow job.
• Docs: add security scanning guides and Makefile targets #3525: Adjusts image scanning Makefile targets; overlaps with added sbom targets and CI steps.

Suggested reviewers

• kasya
• arkid15r

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and concisely describes the main change: adding CycloneDX SBOM generation for staging images, which is the primary objective of the PR.
Description check	✅ Passed	The description clearly explains the proposed change (SBOM generation for staging images), references the linked issue, and outlines the implementation approach and design decisions.
Linked Issues check	✅ Passed	The PR fully addresses all coding requirements from #3775: generates SBOMs in CycloneDX format using Trivy for both backend and frontend staging images, uploads them as CI artifacts, and keeps the generation non-blocking.
Out of Scope Changes check	✅ Passed	All changes are directly related to the SBOM generation objective: Makefile targets for SBOM generation, workflow steps to orchestrate them, and dictionary updates for spell-check compatibility.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/run-ci-cd.yaml:
- Around line 556-570: The SBOM steps "Generate SBOM for backend image" and
"Generate SBOM for frontend image" call the local trivy binary which isn't
installed on the runner and are masked by continue-on-error; replace these steps
to run Trivy the same way as the earlier scans by either (A) using the
aquasecurity/trivy-action action (preferred) or (B) invoking the official Docker
image aquasec/trivy:0.69.1 (docker run ... image --format cyclonedx --output
...) so the scanner runs inside a container, or (C) add Makefile targets (e.g.,
make sbom-backend, make sbom-frontend) that perform the docker-run invocation
and call those targets from the workflow; ensure continue-on-error is removed so
failures surface.

🧹 Nitpick comments (2)

.github/workflows/run-ci-cd.yaml (2)

572-578: Upload step should also be guarded with continue-on-error or an if condition.

If both SBOM generation steps fail (which they will per the above), the output files won't exist. While actions/upload-artifact defaults to warn for missing files, it's better to be explicit — either add continue-on-error: true or gate with if: always() and set if-no-files-found: ignore to make the non-blocking intent clear and resilient.

       - name: Upload SBOM artifacts
+        if: always()
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: staging-sboms
           path: |
             backend-sbom.cdx.json
             frontend-sbom.cdx.json
+          if-no-files-found: warn

---

916-938: Consider adding SBOM generation to the production scan job as well.

The linked issue (#3775) emphasizes supply-chain transparency for shipped images. Currently, SBOMs are only generated for staging images. For parity and to satisfy the goal of enabling post-release CVE impact analysis, the same SBOM steps should be added to the scan-production-images job (and ideally attached as release assets).

[cubic-dev-ai]

1 issue found across 2 files

Confidence score: 3/5

• CI/CD risk: run-ci-cd.yaml invokes the trivy CLI directly even though it isn’t available on GitHub runners, which can cause the workflow to fail and block merges/deploys.
• Score reflects a concrete, high-severity (8/10) pipeline break risk rather than a functional code bug.
• Pay close attention to .github/workflows/run-ci-cd.yaml - Trivy is called without the container-based setup used elsewhere.

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name=".github/workflows/run-ci-cd.yaml">

<violation number="1" location=".github/workflows/run-ci-cd.yaml:559">
P1: The `trivy` CLI is not available on the GitHub Actions runner. The existing security scans in this workflow invoke Trivy via Docker containers through Makefile targets (`docker run aquasec/trivy:0.69.1`), but this step calls `trivy image` directly on the runner where it's not installed. Combined with `continue-on-error: true`, this will fail silently and no SBOMs will be generated while the job appears to succeed.

To fix, either:
1. Use `aquasecurity/trivy-action` GitHub Action
2. Run Trivy via Docker consistent with existing scans:
```yaml
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  aquasec/trivy:0.69.1 image --format cyclonedx \
  --output backend-sbom.cdx.json owasp/nest:backend-staging

3. Add SBOM targets to the Makefile and call those instead

```

<sub>Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.</sub>

[OM-JADHAV25]

Hiii @arkid15r ,

Testing note:
I validated SBOM generation in a separate branch (test/SBOM-generation) using a temporary test-sbom job that builds the backend and frontend Docker images within the CI runner.
This was required because build-staging-images is protected and does not run in forks.
The Trivy SBOM commands used there are identical to those in scan-staging-images, so the same behavior applies once images are available in the main repository.
SBOM generation is intentionally non-blocking to avoid impacting the existing CI/CD flow.

Test workflow run:
https://github.com/OM-JADHAV25/Nest/actions/runs/21781110451

Generated SBOM artifacts:
https://github.com/OM-JADHAV25/Nest/actions/runs/21781110451/artifacts/5417209333

[arkid15r]

This is a good idea to upload artifacts for staging images. For production we want to attach SBOMs to GitHub release.

[cubic-dev-ai]

2 issues found across 3 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="frontend/Makefile">

<violation number="1" location="frontend/Makefile:80">
P2: Missing image-existence guard: unlike the adjacent `security-scan-frontend-image` target, this new target doesn't check whether the default local image exists and build it first. Running `make sbom-frontend-image` with the default `FRONTEND_IMAGE_NAME=nest-frontend-local` will fail if the image hasn't already been built.

(Based on your team's feedback about reusing existing patterns for CI and security scanner configuration.) [FEEDBACK_USED]</violation>
</file>

<file name="backend/Makefile">

<violation number="1" location="backend/Makefile:185">
P2: Missing auto-build guard for local image. The existing `security-scan-backend-image` target checks if `BACKEND_IMAGE_NAME` is the default `nest-backend-local` and builds it first if needed. This target lacks that guard, so `make sbom-backend-image` will fail locally if the image hasn't been pre-built. Add the same conditional build step for consistency and usability.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.</sub>

[OM-JADHAV25]

Hii @arkid15r ,
I've implemented the suggested changes.
Please let me know if anything else needs to be updated.
Thanks!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

1 issue found across 4 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name=".github/workflows/run-ci-cd.yaml">

<violation number="1" location=".github/workflows/run-ci-cd.yaml:945">
P1: SBOM generation steps are blocking and will prevent deployment on failure. The `continue-on-error: true` was removed from both staging SBOM steps, and the new production SBOM steps also lack it. Since `deploy-staging-nest` and `deploy-production-nest` depend on their respective scan jobs, any SBOM generation failure (e.g., Trivy timeout, network issue) will block deployment. Consider adding `continue-on-error: true` if the intent is truly non-blocking, or update the PR description to reflect that SBOM failures intentionally block deployment.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.</sub>

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.39%. Comparing base (00e364b) to head (6a22e19).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3833   +/-   ##
=======================================
  Coverage   95.39%   95.39%           
=======================================
  Files         463      463           
  Lines       14540    14540           
  Branches     2017     2017           
=======================================
  Hits        13871    13871           
  Misses        328      328           
  Partials      341      341           

Flag	Coverage Δ
backend	95.67% <ø> (ø)
frontend	94.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 00e364b...6a22e19. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arkid15r]

I updated it a bit, let's see if this works.