feat: sbom generation ubuntu and nix packages

[samrose]

Files Created/Modified:

New Files:

• nix/packages/sbom/ - Go package directory with:
  • default.nix - Nix package definition
  • go.mod - Go module file
  • cmd/sbom/main.go - CLI with ubuntu/nix/combined subcommands
  • internal/spdx/types.go - SPDX document structures
  • internal/ubuntu/generator.go - Ubuntu dpkg package scanner
  • internal/nix/wrapper.go - sbomnix wrapper
  • internal/merge/merger.go - SBOM merger

Modified Files:

• flake.nix - Added sbomnix input
• flake.lock - Updated with sbomnix
• nix/packages/default.nix - Registered sbom packages
• nix/fmt.nix - Added gofmt and excludes for .sum and vendor/
• nix/devShells.nix - Added Go tools, sbom, sbomnix, spdx-tools
• nix/checks.nix - Added sbom-builds and sbomnix-available checks
• scripts/nix-provision.sh - Added SBOM generation step
• stage2-nix-psql.pkr.hcl - Added provisioner to download SBOM
• .github/workflows/ami-release-nix.yml - Added SBOM upload to S3 (staging and prod)

New Packages:

• sbom - Main Go binary
• sbom-generator - Combined Ubuntu+Nix SBOM generator
• sbom-ubuntu - Ubuntu-only SBOM generator
• sbom-nix - Nix-only SBOM generator (wraps sbomnix)
• sbomnix - Upstream sbomnix tool

New Checks:

• sbom-builds - Verifies the sbom binary builds and runs
• sbomnix-available - Verifies sbomnix is functional

CI Integration:

At release time, the SBOM will be:

1. Generated during packer provisioning (on the actual AMI)
2. Downloaded from the instance
3. Uploaded to s3://{bucket}/manifests/postgres-{version}/sbom.spdx.json

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.