Add SBOM as job

2025-08-26 18:20:45 +02:00
parent 1b46a636c9
commit cad3c52719
2 changed files with 50 additions and 87 deletions
--- a/.github/workflows/build-and-test.yaml
+++ b/.github/workflows/build-and-test.yaml
@@ -234,3 +234,52 @@ jobs:
        subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
        subject-digest: ${{ steps.build-and-push.outputs.digest }}
        push-to-registry: true
+
+  scan:
+    permissions:
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      -
+        name: Build
+        id: docker_build
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          push: false
+          load: true
+          tags: localbuild/testimage:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      -
+        name: Generate SBOM and upload dependency results
+        uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
+        with:
+          image: localbuild/testimage:latest
+          artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json"
+          output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
+          dependency-snapshot: false
+          format: cyclonedx-json
+          upload-artifact: true
+      -
+        name: Scan SBOM
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
+        id: scan
+        with:
+          cache-db: true
+          fail-build: false
+          sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
+          output-format: sarif
+      -
+        name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
--- a/.github/workflows/docker-scan.yml
+++ b/.github/workflows/docker-scan.yml
@@ -1,86 +0,0 @@
-name: Docker Image Grype scan
-
-on:
-  push:
-    branches: [master]
-    tags:
-      - '*'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  wait-for-build:
-    name: Wait for deploy
-    runs-on: ubuntu-latest
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-            index.rubygems.org:443
-            rubygems.org:443
-
-      - name: Wait for deploy
-        uses: lewagon/wait-on-check-action@0dceb95e7c4cad8cc7422aee3885998f5cab9c79  # v1.4.0
-        with:
-          ref: ${{ github.ref }}
-          check-name: 'deploy'
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          wait-interval: 15
-          allowed-conclusions: success,skipped
-
-  docker:
-    needs: wait-for-build
-    permissions:
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-    runs-on: ubuntu-latest
-    steps:
-      - 
-        name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-      -
-        name: Build
-        id: docker_build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          push: false
-          load: true
-          tags: localbuild/testimage:latest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-      -
-        name: Generate SBOM and upload dependency results
-        uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
-        with:
-          image: localbuild/testimage:latest
-          artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json"
-          output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
-          dependency-snapshot: false
-          format: cyclonedx-json
-          upload-artifact: true
-      -
-        name: Scan SBOM
-        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
-        id: scan
-        with:
-          add-cpes-if-none: true
-          fail-build: false
-          sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
-          output-format: sarif
-      -
-        name: Upload Anchore scan SARIF report
-        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}