Skip to content

Commit 14f4e96

Browse files
ignoramousignoramous
committed
gh-actions: vuln scan and sbom attestation
1 parent 5f63a9e commit 14f4e96

1 file changed

Lines changed: 119 additions & 0 deletions

File tree

.github/workflows/ghcr.yml

Lines changed: 119 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,65 @@ jobs:
6060
subject-digest: ${{ steps.push.outputs.digest }}
6161
push-to-registry: true
6262

63+
# github.com/microsoft/sbom-tool
64+
# github.com/microsoft/sbom-tool/blob/f5f65011f2/docs/sbom-tool-arguments.md?plain=1#L1
65+
- name: 🧾 SBOM
66+
run: |
67+
mkdir -p "${{ github.workspace }}/sarifoutput"
68+
69+
# docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository#generating-a-software-bill-of-materials-from-github-actions
70+
# github.com/marketplace/actions/spdx-dependency-submission-action
71+
curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
72+
chmod +x $RUNNER_TEMP/sbom-tool
73+
$RUNNER_TEMP/sbom-tool generate -b . -bc . -pn ${{ github.repository }} -pv 1.0.0 -ps Celzero -nsb https://sbom.rethinkdns.com/app -V Verbose
74+
75+
# github.com/marketplace/actions/anchore-container-scan
76+
# github.com/anchore/scan-action
77+
- name: 🎞 Grype Container report
78+
uses: anchore/scan-action@v7
79+
id: scanc
80+
with:
81+
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}"
82+
output-file: "${{ github.workspace }}/sarifoutput/cont.sarif"
83+
# fail-build: false
84+
# severity-cutoff: critical
85+
86+
# github.com/marketplace/actions/anchore-container-scan
87+
# github.com/anchore/scan-action
88+
- name: 🎞 Grype SBOM report
89+
uses: anchore/scan-action@v7
90+
id: scansbom
91+
with:
92+
sbom: "${{ github.workspace }}/_manifest/spdx_2.2/manifest.spdx.json"
93+
output-file: "${{ github.workspace }}/sarifoutput/sbom.sarif"
94+
# fail-build: false
95+
# severity-cutoff: critical
96+
97+
- name: 📻 Grype SBOM to code-scanning
98+
uses: github/codeql-action/upload-sarif@v4
99+
with:
100+
# can also be a directory containing multiple sarif files
101+
sarif_file: "${{ github.workspace }}/sarifoutput/"
102+
103+
- name: 📝 SBOM submission
104+
if: success()
105+
continue-on-error: true
106+
uses: advanced-security/spdx-dependency-submission-action@v0.1.1
107+
with:
108+
filePath: "_manifest/spdx_2.2/"
109+
110+
# github.com/actions/attest-sbom
111+
# docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations#generating-an-sbom-attestation-for-binaries
112+
- name: 🧶 SBOM attestation
113+
if: success()
114+
continue-on-error: true
115+
uses: actions/attest-sbom@v3
116+
with:
117+
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
118+
subject-digest: ${{ steps.push.outputs.digest }}
119+
sbom-path: "${{ github.workspace }}/_manifest/spdx_2.2/manifest.spdx.json"
120+
push-to-registry: true
121+
63122
bunjs:
64123
name: 🚀 Bun on Alpine
65124
runs-on: ubuntu-latest
@@ -106,3 +165,63 @@ jobs:
106165
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_BUN }}
107166
subject-digest: ${{ steps.push.outputs.digest }}
108167
push-to-registry: true
168+
169+
# github.com/microsoft/sbom-tool
170+
# github.com/microsoft/sbom-tool/blob/f5f65011f2/docs/sbom-tool-arguments.md?plain=1#L1
171+
- name: 🧾 SBOM
172+
run: |
173+
mkdir -p "${{ github.workspace }}/sarifoutput"
174+
175+
# docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository#generating-a-software-bill-of-materials-from-github-actions
176+
# github.com/marketplace/actions/spdx-dependency-submission-action
177+
curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
178+
chmod +x $RUNNER_TEMP/sbom-tool
179+
$RUNNER_TEMP/sbom-tool generate -b . -bc . -pn ${{ github.repository }} -pv 1.0.0 -ps Celzero -nsb https://sbom.rethinkdns.com/app -V Verbose
180+
181+
# github.com/marketplace/actions/anchore-container-scan
182+
# github.com/anchore/scan-action
183+
- name: 🎞 Grype Container report
184+
uses: anchore/scan-action@v7
185+
id: scanc
186+
with:
187+
# tag would be: fromJSON(steps.meta.outputs.json).images[0].tags[0]
188+
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME_BUN }}@${{ steps.push.outputs.digest }}"
189+
output-file: "${{ github.workspace }}/sarifoutput/cont.sarif"
190+
# fail-build: false
191+
# severity-cutoff: critical
192+
193+
# github.com/marketplace/actions/anchore-container-scan
194+
# github.com/anchore/scan-action
195+
- name: 🎞 Grype SBOM report
196+
uses: anchore/scan-action@v7
197+
id: scansbom
198+
with:
199+
sbom: "${{ github.workspace }}/_manifest/spdx_2.2/manifest.spdx.json"
200+
output-file: "${{ github.workspace }}/sarifoutput/sbom.sarif"
201+
# fail-build: false
202+
# severity-cutoff: critical
203+
204+
- name: 📻 Grype SBOM to code-scanning
205+
uses: github/codeql-action/upload-sarif@v4
206+
with:
207+
# can also be a directory containing multiple sarif files
208+
sarif_file: "${{ github.workspace }}/sarifoutput/"
209+
210+
- name: 📝 SBOM submission
211+
if: success()
212+
continue-on-error: true
213+
uses: advanced-security/spdx-dependency-submission-action@v0.1.1
214+
with:
215+
filePath: "_manifest/spdx_2.2/"
216+
217+
# github.com/actions/attest-sbom
218+
# docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations#generating-an-sbom-attestation-for-binaries
219+
- name: 🧶 SBOM attestation
220+
if: success()
221+
continue-on-error: true
222+
uses: actions/attest-sbom@v3
223+
with:
224+
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_BUN }}
225+
subject-digest: ${{ steps.push.outputs.digest }}
226+
sbom-path: "${{ github.workspace }}/_manifest/spdx_2.2/manifest.spdx.json"
227+
push-to-registry: true

0 commit comments

Comments
 (0)