Add SBOM as job
This commit is contained in:
Florian Stosse
49
.github/workflows/build-and-test.yaml
vendored
49
.github/workflows/build-and-test.yaml
vendored
@@ -234,3 +234,52 @@ jobs:
|
|||||||
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||||
subject-digest: ${{ steps.build-and-push.outputs.digest }}
|
subject-digest: ${{ steps.build-and-push.outputs.digest }}
|
||||||
push-to-registry: true
|
push-to-registry: true
|
||||||
|
|
||||||
|
scan:
|
||||||
|
permissions:
|
||||||
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||||
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
-
|
||||||
|
name: Harden the runner (Audit all outbound calls)
|
||||||
|
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
||||||
|
with:
|
||||||
|
egress-policy: audit
|
||||||
|
-
|
||||||
|
name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
||||||
|
-
|
||||||
|
name: Build
|
||||||
|
id: docker_build
|
||||||
|
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
|
||||||
|
with:
|
||||||
|
push: false
|
||||||
|
load: true
|
||||||
|
tags: localbuild/testimage:latest
|
||||||
|
cache-from: type=gha
|
||||||
|
cache-to: type=gha,mode=max
|
||||||
|
-
|
||||||
|
name: Generate SBOM and upload dependency results
|
||||||
|
uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
|
||||||
|
with:
|
||||||
|
image: localbuild/testimage:latest
|
||||||
|
artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json"
|
||||||
|
output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
|
||||||
|
dependency-snapshot: false
|
||||||
|
format: cyclonedx-json
|
||||||
|
upload-artifact: true
|
||||||
|
-
|
||||||
|
name: Scan SBOM
|
||||||
|
uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
|
||||||
|
id: scan
|
||||||
|
with:
|
||||||
|
cache-db: true
|
||||||
|
fail-build: false
|
||||||
|
sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
|
||||||
|
output-format: sarif
|
||||||
|
-
|
||||||
|
name: Upload Anchore scan SARIF report
|
||||||
|
uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
|
||||||
|
with:
|
||||||
|
sarif_file: ${{ steps.scan.outputs.sarif }}
|
||||||
86
.github/workflows/docker-scan.yml
vendored
86
.github/workflows/docker-scan.yml
vendored
@@ -1,86 +0,0 @@
|
|||||||
name: Docker Image Grype scan
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches: [master]
|
|
||||||
tags:
|
|
||||||
- '*'
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
wait-for-build:
|
|
||||||
name: Wait for deploy
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Harden the runner (Audit all outbound calls)
|
|
||||||
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
||||||
with:
|
|
||||||
egress-policy: block
|
|
||||||
allowed-endpoints: >
|
|
||||||
api.github.com:443
|
|
||||||
github.com:443
|
|
||||||
release-assets.githubusercontent.com:443
|
|
||||||
index.rubygems.org:443
|
|
||||||
rubygems.org:443
|
|
||||||
|
|
||||||
- name: Wait for deploy
|
|
||||||
uses: lewagon/wait-on-check-action@0dceb95e7c4cad8cc7422aee3885998f5cab9c79 # v1.4.0
|
|
||||||
with:
|
|
||||||
ref: ${{ github.ref }}
|
|
||||||
check-name: 'deploy'
|
|
||||||
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
wait-interval: 15
|
|
||||||
allowed-conclusions: success,skipped
|
|
||||||
|
|
||||||
docker:
|
|
||||||
needs: wait-for-build
|
|
||||||
permissions:
|
|
||||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
||||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
-
|
|
||||||
name: Harden the runner (Audit all outbound calls)
|
|
||||||
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
||||||
with:
|
|
||||||
egress-policy: audit
|
|
||||||
-
|
|
||||||
name: Set up Docker Buildx
|
|
||||||
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
||||||
-
|
|
||||||
name: Build
|
|
||||||
id: docker_build
|
|
||||||
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
|
|
||||||
with:
|
|
||||||
push: false
|
|
||||||
load: true
|
|
||||||
tags: localbuild/testimage:latest
|
|
||||||
cache-from: type=gha
|
|
||||||
cache-to: type=gha,mode=max
|
|
||||||
-
|
|
||||||
name: Generate SBOM and upload dependency results
|
|
||||||
uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
|
|
||||||
with:
|
|
||||||
image: localbuild/testimage:latest
|
|
||||||
artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json"
|
|
||||||
output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
|
|
||||||
dependency-snapshot: false
|
|
||||||
format: cyclonedx-json
|
|
||||||
upload-artifact: true
|
|
||||||
-
|
|
||||||
name: Scan SBOM
|
|
||||||
uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
|
|
||||||
id: scan
|
|
||||||
with:
|
|
||||||
add-cpes-if-none: true
|
|
||||||
fail-build: false
|
|
||||||
sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
|
|
||||||
output-format: sarif
|
|
||||||
-
|
|
||||||
name: Upload Anchore scan SARIF report
|
|
||||||
uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
|
|
||||||
with:
|
|
||||||
sarif_file: ${{ steps.scan.outputs.sarif }}
|
|
||||||
Reference in New Issue
Block a user