Add SBOM generation and atomic Helm deployments

- Add SBOM job using Syft to generate SPDX and CycloneDX formats
- Add --atomic flag to Helm deployments for auto-rollback on failure
- Add gitleaks fingerprints for additional false positives

.gitlab-ci.yml

@@ -110,6 +110,26 @@ integration_test_feature:
     - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
       when: on_success
 
+# Generate Software Bill of Materials (SBOM)
+sbom:
+  stage: build
+  needs: [build_image]
+  image: deps.global.bsf.tools/docker/anchore/syft:latest
+  timeout: 10m
+  variables:
+    IMAGE_NAME: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp:git.linux-amd64-$CI_COMMIT_SHA
+  script:
+    - echo "Generating SBOM for $IMAGE_NAME"
+    - syft $IMAGE_NAME -o spdx-json=sbom-spdx.json -o cyclonedx-json=sbom-cyclonedx.json
+    - echo "SBOM generation complete"
+    - echo "SPDX format:" && head -50 sbom-spdx.json
+  artifacts:
+    when: always
+    expire_in: 1 year
+    paths:
+      - sbom-spdx.json
+      - sbom-cyclonedx.json
+
 # Run Python backend tests
 python_tests:
   stage: test
@@ -245,6 +265,7 @@ deploy_stage:
         -f $VALUES_FILE \
         --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
         --wait \
+        --atomic \
         --timeout 5m
     - kubectl rollout status deployment/orchard-stage-server -n $NAMESPACE --timeout=5m
     - *verify_deployment
@@ -280,6 +301,7 @@ deploy_feature:
         --set minioIngress.host=minio-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
         --set minioIngress.tls.secretName=minio-$CI_COMMIT_REF_SLUG-tls \
         --wait \
+        --atomic \
         --timeout 5m
     - kubectl rollout status deployment/orchard-$CI_COMMIT_REF_SLUG-server -n $NAMESPACE --timeout=5m
     - export BASE_URL="https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools"

.gitleaksignore

@@ -9,3 +9,5 @@
 bccbc71c13570d14b8b26a11335c45f102fe3072:backend/tests/unit/test_storage.py:generic-api-key:381
 5c9da9003b844a2d655cce74a7c82c57e74f27c4:backend/tests/unit/test_storage.py:generic-api-key:381
 90bb2a3a393d2361dc3136ee8d761debb0726d8a:backend/tests/unit/test_storage.py:generic-api-key:381
+37666e41a72d2a4f34447c0d1a8728e1d7271d24:backend/tests/unit/test_storage.py:generic-api-key:381
+0cc4f253621a9601c5193f6ae1e7ae33f0e7fc9b:backend/tests/unit/test_storage.py:generic-api-key:381

CHANGELOG.md

@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 ### Added
+- Added SBOM (Software Bill of Materials) generation in CI pipeline using Syft (SPDX and CycloneDX formats)
 - Added GitLab CI pipeline for feature branch deployments to dev namespace (#51)
 - Added `deploy_feature` job with dynamic hostnames and unique release names (#51)
 - Added `cleanup_feature` job with `on_stop` for automatic cleanup on merge (#51)
@@ -16,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added internal proxy configuration for npm, pip, helm, and apt (#51)
 
 ### Changed
+- Added `--atomic` flag to Helm deployments for automatic rollback on failure
 - Adjusted dark mode color palette to use lighter background tones for better readability and reduced eye strain (#52)
 - Replaced project card grid with sortable data table on Home page for better handling of large project lists
 - Replaced package card grid with sortable data table on Project page for consistency