feat: add SBOM scanner sidecar for memory-isolated SBOM generation

build/Dockerfile

@@ -9,9 +9,15 @@ RUN --mount=target=. \
     --mount=type=cache,target=/go/pkg \
     GOOS=$TARGETOS GOARCH=$TARGETARCH GOEXPERIMENT=greenteagc go build -o /out/node-agent -ldflags="-s -w" ./cmd/main.go
 
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH GOEXPERIMENT=greenteagc go build -o /out/sbom-scanner -ldflags="-s -w" ./cmd/sbom-scanner/main.go
+
 FROM gcr.io/distroless/static-debian13:latest
 
 COPY --from=builder /out/node-agent /usr/bin/node-agent
+COPY --from=builder /out/sbom-scanner /usr/bin/sbom-scanner
 COPY tracers.tar /root/tracers.tar
 COPY configuration/ig-config.yaml /root/.ig/config.yaml
 

cmd/main.go

@@ -63,6 +63,7 @@ import (
 	"github.com/kubescape/node-agent/pkg/rulemanager/ruleswatcher"
 	"github.com/kubescape/node-agent/pkg/sbommanager"
 	sbommanagerv1 "github.com/kubescape/node-agent/pkg/sbommanager/v1"
+	sbomscanner "github.com/kubescape/node-agent/pkg/sbomscanner/v1"
 	"github.com/kubescape/node-agent/pkg/seccompmanager"
 	seccompmanagerv1 "github.com/kubescape/node-agent/pkg/seccompmanager/v1"
 	"github.com/kubescape/node-agent/pkg/storage/v1"
@@ -381,10 +382,19 @@ func main() {
 	logger.L().Info("IG Kubernetes client created", helpers.Interface("client", igK8sClient))
 	logger.L().Info("detected container runtime", helpers.String("containerRuntime", igK8sClient.RuntimeConfig.Name.String()))
 
+	// Create the SBOM scanner sidecar client (if configured)
+	var scannerClient sbomscanner.SBOMScannerClient
+	if socket, ok := os.LookupEnv("SBOM_SCANNER_SOCKET"); ok {
+		scannerClient, err = sbomscanner.NewSBOMScannerClient(socket)
+		if err != nil {
+			logger.L().Ctx(ctx).Warning("SBOM scanner sidecar not available, falling back to in-process scanning", helpers.Error(err))
+		}
+	}
+
 	// Create the SBOM manager
 	var sbomManager sbommanager.SbomManagerClient
 	if cfg.EnableSbomGeneration {
-		sbomManager, err = sbommanagerv1.CreateSbomManager(ctx, cfg, igK8sClient.RuntimeConfig.SocketPath, storageClient, k8sObjectCache)
+		sbomManager, err = sbommanagerv1.CreateSbomManager(ctx, cfg, igK8sClient.RuntimeConfig.SocketPath, storageClient, k8sObjectCache, scannerClient)
 		if err != nil {
 			logger.L().Ctx(ctx).Fatal("error creating SbomManager", helpers.Error(err))
 		}

cmd/sbom-scanner/main.go

@@ -0,0 +1,48 @@
+package main
+
+import (
+	"net"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	sbomscanner "github.com/kubescape/node-agent/pkg/sbomscanner/v1"
+	pb "github.com/kubescape/node-agent/pkg/sbomscanner/v1/proto"
+	"google.golang.org/grpc"
+	_ "modernc.org/sqlite"
+)
+
+func main() {
+	socketPath := os.Getenv("SOCKET_PATH")
+	if socketPath == "" {
+		socketPath = "/sbom-comm/scanner.sock"
+	}
+
+	// Remove stale socket file from a previous run
+	os.Remove(socketPath)
+
+	lis, err := net.Listen("unix", socketPath)
+	if err != nil {
+		logger.L().Fatal("failed to listen on socket", helpers.Error(err), helpers.String("path", socketPath))
+	}
+
+	srv := grpc.NewServer()
+	pb.RegisterSBOMScannerServer(srv, sbomscanner.NewScannerServer())
+
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGTERM, syscall.SIGINT)
+
+	go func() {
+		sig := <-sigCh
+		logger.L().Info("received signal, shutting down", helpers.String("signal", sig.String()))
+		srv.GracefulStop()
+		os.Remove(socketPath)
+	}()
+
+	logger.L().Info("SBOM scanner sidecar started", helpers.String("socket", socketPath))
+	if err := srv.Serve(lis); err != nil {
+		logger.L().Fatal("gRPC server failed", helpers.Error(err))
+	}
+}

pkg/sbommanager/v1/metrics.go

@@ -0,0 +1,29 @@
+package v1
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promauto"
+)
+
+var (
+	sbomScanTotal = promauto.NewCounterVec(prometheus.CounterOpts{
+		Name: "sbom_scan_total",
+		Help: "Total SBOM scan attempts",
+	}, []string{"status"})
+
+	sbomScanDuration = promauto.NewHistogramVec(prometheus.HistogramOpts{
+		Name:    "sbom_scan_duration_seconds",
+		Help:    "SBOM scan duration in seconds",
+		Buckets: prometheus.ExponentialBuckets(1, 2, 12),
+	}, []string{"status"})
+
+	sbomScannerRestartsTotal = promauto.NewCounter(prometheus.CounterOpts{
+		Name: "sbom_scanner_restarts_total",
+		Help: "Total number of SBOM scanner sidecar restarts detected via connection loss",
+	})
+
+	sbomScannerReady = promauto.NewGauge(prometheus.GaugeOpts{
+		Name: "sbom_scanner_ready",
+		Help: "Whether the SBOM scanner sidecar is connected and healthy (1=ready, 0=not ready)",
+	})
+)