From cad3c527198f04f3e291ed01bc26311213b7c67e Mon Sep 17 00:00:00 2001 From: Florian Stosse Date: Tue, 26 Aug 2025 18:20:45 +0200 Subject: [PATCH] Add SBOM as job --- .github/workflows/build-and-test.yaml | 51 +++++++++++++++- .github/workflows/docker-scan.yml | 86 --------------------------- 2 files changed, 50 insertions(+), 87 deletions(-) delete mode 100644 .github/workflows/docker-scan.yml diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index 99a3ffe..a31d4b3 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -233,4 +233,53 @@ jobs: with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build-and-push.outputs.digest }} - push-to-registry: true \ No newline at end of file + push-to-registry: true + + scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - + name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - + name: Build + id: docker_build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + push: false + load: true + tags: localbuild/testimage:latest + cache-from: type=gha + cache-to: type=gha,mode=max + - + name: Generate SBOM and upload dependency results + uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 + with: + image: localbuild/testimage:latest + artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json" + output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json" + dependency-snapshot: false + format: cyclonedx-json + upload-artifact: true + - + name: Scan SBOM + uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 + id: scan + with: + cache-db: true + fail-build: false + sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json" + output-format: sarif + - + name: Upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} \ No newline at end of file diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml deleted file mode 100644 index 484b861..0000000 --- a/.github/workflows/docker-scan.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: Docker Image Grype scan - -on: - push: - branches: [master] - tags: - - '*' - workflow_dispatch: - -permissions: - contents: read - -jobs: - wait-for-build: - name: Wait for deploy - runs-on: ubuntu-latest - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: block - allowed-endpoints: > - api.github.com:443 - github.com:443 - release-assets.githubusercontent.com:443 - index.rubygems.org:443 - rubygems.org:443 - - - name: Wait for deploy - uses: lewagon/wait-on-check-action@0dceb95e7c4cad8cc7422aee3885998f5cab9c79 # v1.4.0 - with: - ref: ${{ github.ref }} - check-name: 'deploy' - repo-token: ${{ secrets.GITHUB_TOKEN }} - wait-interval: 15 - allowed-conclusions: success,skipped - - docker: - needs: wait-for-build - permissions: - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: audit - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - - name: Build - id: docker_build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - push: false - load: true - tags: localbuild/testimage:latest - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Generate SBOM and upload dependency results - uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 - with: - image: localbuild/testimage:latest - artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json" - output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json" - dependency-snapshot: false - format: cyclonedx-json - upload-artifact: true - - - name: Scan SBOM - uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 - id: scan - with: - add-cpes-if-none: true - fail-build: false - sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json" - output-format: sarif - - - name: Upload Anchore scan SARIF report - uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} \ No newline at end of file