Catroweb/.github/workflows/sbom.yaml at 377041f65d8984d4df7e80c5dd66410fcc9a4266 · Catrobat/Catroweb · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ** SBOM + vulnerability scan **
#
#  Two jobs:
#   1. fs scan   — CycloneDX SBOM of PHP (composer.lock) + JS (yarn.lock) dependencies, CVE gate
#   2. image scan — builds the runtime container image and scans the OS layer (Debian +
#                   apt packages) which the fs scan can't see. Posts a second BOM to a
#                   separate Dep-Track project (vars.DEPTRACK_CATROWEB_IMAGE_UUID).
#
#  Complements:
#   - Dependabot       -> continuous CVE alerts via GitHub dependency graph
#   - SafeDep vet      -> supply-chain risk (malicious / unmaintained / typosquatted packages)
#   - This workflow    -> CVE gate + auditable SBOM artifact per commit
#
#  The SBOM is uploaded as a workflow artifact and can later be attached to GitHub Releases or
#  fed into the Dependency-Track instance at https://deptrack.catrobat.org for CVE tracking.
#
#  Trivy docs: https://aquasecurity.github.io/trivy/
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

name: SBOM

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  sbom:
    name: Generate SBOM + scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v7.0.0

      - name: Generate CycloneDX SBOM
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: fs
          scan-ref: .
          format: cyclonedx
          output: sbom.cdx.json

      - name: Upload SBOM artifact
        uses: actions/upload-artifact@v7
        with:
          name: sbom-${{ github.sha }}
          path: sbom.cdx.json
          retention-days: 90

      - name: Upload SBOM to Dependency-Track
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        run: |
          curl -sSf -X POST https://deptrack.catrobat.org/api/v1/bom \
            -H "X-API-Key: ${{ secrets.DEPTRACK_API_KEY }}" \
            -F "project=${{ vars.DEPTRACK_CATROWEB_UUID }}" \
            -F "bom=@sbom.cdx.json"

      - name: Scan dependencies for CVEs
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: fs
          scan-ref: .
          severity: CRITICAL,HIGH
          exit-code: '1'
          ignore-unfixed: true
          # Skip noisy categories — focus on dependency CVEs only.
          scanners: vuln

  image-scan:
    name: Scan container image
    runs-on: ubuntu-latest
    # The fs job above covers Composer + Yarn deps. This one covers the OS
    # layer (Debian bookworm-slim + apt packages baked into the runtime image)
    # which the fs scan can't see.
    steps:
      - name: Checkout
        uses: actions/checkout@v7.0.0

      - name: Set up Buildx
        uses: docker/setup-buildx-action@v4

      - name: Build runtime image (no push)
        uses: docker/build-push-action@v7.2.0
        with:
          context: .
          file: docker/Dockerfile
          load: true
          tags: catroweb:scan
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Generate CycloneDX SBOM for image
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: image
          image-ref: catroweb:scan
          format: cyclonedx
          output: image-sbom.cdx.json

      - name: Upload image SBOM artifact
        uses: actions/upload-artifact@v7
        with:
          name: image-sbom-${{ github.sha }}
          path: image-sbom.cdx.json
          retention-days: 90

      - name: Upload image SBOM to Dependency-Track
        if: github.event_name == 'push' && github.ref == 'refs/heads/main' && vars.DEPTRACK_CATROWEB_IMAGE_UUID != ''
        run: |
          curl -sSf -X POST https://deptrack.catrobat.org/api/v1/bom \
            -H "X-API-Key: ${{ secrets.DEPTRACK_API_KEY }}" \
            -F "project=${{ vars.DEPTRACK_CATROWEB_IMAGE_UUID }}" \
            -F "bom=@image-sbom.cdx.json"

      # Soft-fail: this image is dev-only (the production deploy is PHP-FPM
      # via rsync, not a container image). We surface the OS-layer CVEs in
      # the Dep-Track project and in the job log for visibility but don't
      # block PRs on findings that don't ship to prod.
      - name: Scan image for CVEs (report only)
        continue-on-error: true
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: image
          image-ref: catroweb:scan
          severity: CRITICAL,HIGH
          ignore-unfixed: true
          scanners: vuln