build(deps-dev): bump browserslist from 4.28.2 to 4.28.4 #264
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| # ** SBOM + vulnerability scan ** | |
| # | |
| # Two jobs: | |
| # 1. fs scan — CycloneDX SBOM of PHP (composer.lock) + JS (yarn.lock) dependencies, CVE gate | |
| # 2. image scan — builds the runtime container image and scans the OS layer (Debian + | |
| # apt packages) which the fs scan can't see. Posts a second BOM to a | |
| # separate Dep-Track project (vars.DEPTRACK_CATROWEB_IMAGE_UUID). | |
| # | |
| # Complements: | |
| # - Dependabot -> continuous CVE alerts via GitHub dependency graph | |
| # - SafeDep vet -> supply-chain risk (malicious / unmaintained / typosquatted packages) | |
| # - This workflow -> CVE gate + auditable SBOM artifact per commit | |
| # | |
| # The SBOM is uploaded as a workflow artifact and can later be attached to GitHub Releases or | |
| # fed into the Dependency-Track instance at https://deptrack.catrobat.org for CVE tracking. | |
| # | |
| # Trivy docs: https://aquasecurity.github.io/trivy/ | |
| # | |
| # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| name: SBOM | |
| on: | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| sbom: | |
| name: Generate SBOM + scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v7.0.0 | |
| - name: Generate CycloneDX SBOM | |
| uses: aquasecurity/trivy-action@v0.36.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| format: cyclonedx | |
| output: sbom.cdx.json | |
| - name: Upload SBOM artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: sbom-${{ github.sha }} | |
| path: sbom.cdx.json | |
| retention-days: 90 | |
| - name: Upload SBOM to Dependency-Track | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| run: | | |
| curl -sSf -X POST https://deptrack.catrobat.org/api/v1/bom \ | |
| -H "X-API-Key: ${{ secrets.DEPTRACK_API_KEY }}" \ | |
| -F "project=${{ vars.DEPTRACK_CATROWEB_UUID }}" \ | |
| -F "bom=@sbom.cdx.json" | |
| - name: Scan dependencies for CVEs | |
| uses: aquasecurity/trivy-action@v0.36.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| severity: CRITICAL,HIGH | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| # Skip noisy categories — focus on dependency CVEs only. | |
| scanners: vuln | |
| image-scan: | |
| name: Scan container image | |
| runs-on: ubuntu-latest | |
| # The fs job above covers Composer + Yarn deps. This one covers the OS | |
| # layer (Debian bookworm-slim + apt packages baked into the runtime image) | |
| # which the fs scan can't see. | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v7.0.0 | |
| - name: Set up Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Build runtime image (no push) | |
| uses: docker/build-push-action@v7.2.0 | |
| with: | |
| context: . | |
| file: docker/Dockerfile | |
| load: true | |
| tags: catroweb:scan | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Generate CycloneDX SBOM for image | |
| uses: aquasecurity/trivy-action@v0.36.0 | |
| with: | |
| scan-type: image | |
| image-ref: catroweb:scan | |
| format: cyclonedx | |
| output: image-sbom.cdx.json | |
| - name: Upload image SBOM artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: image-sbom-${{ github.sha }} | |
| path: image-sbom.cdx.json | |
| retention-days: 90 | |
| - name: Upload image SBOM to Dependency-Track | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' && vars.DEPTRACK_CATROWEB_IMAGE_UUID != '' | |
| run: | | |
| curl -sSf -X POST https://deptrack.catrobat.org/api/v1/bom \ | |
| -H "X-API-Key: ${{ secrets.DEPTRACK_API_KEY }}" \ | |
| -F "project=${{ vars.DEPTRACK_CATROWEB_IMAGE_UUID }}" \ | |
| -F "bom=@image-sbom.cdx.json" | |
| # Soft-fail: this image is dev-only (the production deploy is PHP-FPM | |
| # via rsync, not a container image). We surface the OS-layer CVEs in | |
| # the Dep-Track project and in the job log for visibility but don't | |
| # block PRs on findings that don't ship to prod. | |
| - name: Scan image for CVEs (report only) | |
| continue-on-error: true | |
| uses: aquasecurity/trivy-action@v0.36.0 | |
| with: | |
| scan-type: image | |
| image-ref: catroweb:scan | |
| severity: CRITICAL,HIGH | |
| ignore-unfixed: true | |
| scanners: vuln |