From d817cadf5c41bfb5722a28051c97d4cbb5478452 Mon Sep 17 00:00:00 2001 From: Benjamin Smidt Date: Mon, 29 Jun 2026 12:29:07 -0700 Subject: [PATCH] feat(builder): add cargo-auditable to the builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Release SBOMs currently list only the top-level package because the Rust binaries carry no dependency manifest: syft scans the built artifacts and finds nothing to catalog beyond the package record itself. Install cargo-auditable and a small wrapper so a follow-up goreleaser change can build via `cargo auditable`, embedding each binary's dependency tree in a `.dep-v0` ELF section. syft (>= 1.15; the image ships 1.46) reads that section and emits SBOMs that list every linked crate. cargo-auditable only activates when invoked as `cargo auditable ` (it inspects argv[1] and refuses otherwise), so goreleaser's Rust `tool:` cannot point at the binary directly; the wrapper restores that invocation while passing through `zigbuild --target=... --release` as usual. This change is additive — nothing references the wrapper yet. Wiring it into build/.goreleaser.yaml and bumping build/Dockerfile's pinned image follow in a separate PR once this image is published. Co-Authored-By: Claude Opus 4.8 (1M context) --- build/Dockerfile.builder | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/build/Dockerfile.builder b/build/Dockerfile.builder index 2d414325..708d9f90 100644 --- a/build/Dockerfile.builder +++ b/build/Dockerfile.builder @@ -34,6 +34,23 @@ RUN curl -fsSL -o /tmp/zig.tar.xz "https://ziglang.org/download/${ZIG_VERSION}/z # Install cargo-zigbuild RUN cargo install cargo-zigbuild +# Install cargo-auditable so release builds embed each binary's dependency tree +# in a `.dep-v0` ELF section. syft (>= 1.15) reads that section, so SBOMs +# generated from the binaries/archives list every linked crate instead of just +# the top-level package. Wired up in build/.goreleaser.yaml via the Rust +# builder's `tool:` (see the wrapper below). +RUN cargo install cargo-auditable --locked + +# Wrapper used as GoReleaser's Rust build `tool:`. cargo-auditable only activates +# when invoked as `cargo auditable ` — it inspects argv[1] and refuses to run +# if it isn't "auditable" — so GoReleaser's `tool:`/`command:` cannot point at the +# cargo-auditable binary directly. This wrapper restores the `cargo auditable` +# invocation while passing through whatever GoReleaser appends (e.g. +# `zigbuild --target=... --release -p=miru-agent`). +RUN printf '#!/usr/bin/env bash\nexec cargo auditable "$@"\n' \ + > /usr/local/bin/cargo-auditable-zigbuild \ + && chmod +x /usr/local/bin/cargo-auditable-zigbuild + # Install GoReleaser (OSS version - Pro features unlocked via GORELEASER_KEY at runtime) # Verified using SHA256 checksum from release ARG GORELEASER_VERSION=2.13.3