feat(sbom): add Terraform .terraform.lock.hcl parser; ingest railiance repos

- ingest_sbom.py: parse .terraform.lock.hcl provider blocks (name, version);
  ecosystem stored as 'other' until terraform added to DB ENUM
- Registered railiance-bootstrap + railiance-hosts under railiance domain
- railiance-hosts ingested: 2 Terraform providers (hashicorp/template 2.2.0,
  hetznercloud/hcloud 1.52.0)
- railiance-bootstrap: no lockfile (pure Ansible/shell — noted in convention)
- sbom-convention_v0.1.md: add Terraform + Ansible rows to lockfile table;
  update registered repos status table

Total SBOM: 422 packages across 2 repos (custodian + railiance-hosts)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-01 18:07:56 +01:00
parent 1c3c6ef27d
commit c90c7a7d97
2 changed files with 39 additions and 0 deletions

View File

@@ -34,8 +34,10 @@ dashboard (`/sbom`) provides domain-level and repo-level drill-down.
| Python | `uv.lock` | Preferred. `requirements.txt` accepted as fallback |
| Node / npm | `package-lock.json` | Preferred. `yarn.lock` accepted |
| Rust | `Cargo.lock` | Auto-detected |
| Terraform | `.terraform.lock.hcl` | Provider pins; ecosystem stored as `other` until ENUM extended |
| Go | `go.sum` | *Not yet parsed — planned* |
| Java / JVM | `gradle.lockfile` / `pom.xml` | *Not yet parsed — planned* |
| Ansible | `requirements.yml` | *Not yet parsed — planned* |
**Principle:** commit lockfiles to the repo. Lockfiles are the SBOM source
of truth; do not generate them at ingest time.
@@ -237,6 +239,8 @@ The SBOM dashboard aggregates across all repos within a domain in the
| Repo | Domain | Ecosystems | Last Ingest |
|------|--------|------------|-------------|
| `the-custodian` | custodian | python, node | 2026-03-01 |
| `railiance-bootstrap` | railiance | — (Ansible + shell, no lockfile) | — |
| `railiance-hosts` | railiance | terraform (2 providers) | 2026-03-01 |
*(This table is informational. The live view is at the SBOM dashboard.)*