Skip to content

Adding Harbor for Phase 2 workflow, primarily a Go project #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jan 18, 2025
Merged

Adding Harbor for Phase 2 workflow, primarily a Go project #64

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
29f45db
Adding Harbor for Phase 2 workflow, primarely a Go project
Dec 9, 2024
ed0026f
Referenced Harbor workflow in ReadMe file
Dec 10, 2024
9e1af5f
Update .github/workflows/phase_2_harbor.yml
Jan 14, 2025
b61072a
Update .github/workflows/phase_2_harbor.yml
Jan 14, 2025
bb9598c
Update .github/workflows/phase_2_harbor.yml
Jan 14, 2025
3e7ec85
Update .github/workflows/phase_2_harbor.yml
Jan 14, 2025
0fdf0af
using published release version 2.12.1, not repository code
Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
221 changes: 221 additions & 0 deletions .github/workflows/phase_2_harbor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,221 @@
---
name: Phase 2 - Harbor
on:
push:
paths:
- .github/workflows/phase_2_harbor.yml

env:
HARBOR_TAG: 2.11.2
PARLAY_VERSION: 0.6.0
SBOMASM_VERSION: 0.1.5
SBOMQS_VERSION: 0.1.9
TRIVY_VERSION: 0.54.1

jobs:
Generate:
runs-on: ubuntu-latest
steps:
- name: Install Trivy
run: |
curl -L -o /tmp/trivy.tgz \
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
tar xvf /tmp/trivy.tgz -C /tmp
chmod +x /tmp/trivy

- name: Checkout Harbor
run: |
git --version
git clone https://github.com/goharbor/harbor.git
pwd
cp -r harbor harbor-${HARBOR_TAG}
ls harbor-${HARBOR_TAG}


- name: Generate SBOM with Trivy
run: |
/tmp/trivy fs \
--timeout 30m0s \
--parallel 0 \
--format cyclonedx \
--skip-db-update \
--offline-scan \
--output /tmp/generated-harbor-sbom.cdx.json \
harbor-${HARBOR_TAG}

/tmp/trivy fs \
--timeout 30m0s \
--parallel 0 \
--format spdx-json \
--skip-db-update \
--offline-scan \
--output /tmp/generated-harbor-sbom.spdx.json \
harbor-${HARBOR_TAG}

- name: Upload Generated CycloneDX SBOM
uses: actions/upload-artifact@v4 # v4
with:
name: generated-harbor-sbom-cyclonedx
path: "/tmp/generated-harbor-sbom.cdx.json"
if-no-files-found: error

- name: Upload Generated SPDX SBOM
uses: actions/upload-artifact@v4 # v4
with:
name: generated-harbor-sbom-spdx
path: "/tmp/generated-harbor-sbom.spdx.json"
if-no-files-found: error

- name: List Downloaded Artifacts
run: ls -lha

Augment:
runs-on: ubuntu-latest
needs: Generate
steps:

- uses: actions/checkout@v4 # v4

- name: Download all workflow run artifacts
uses: actions/download-artifact@v4 # v4

- name: Augment Stage - List Downloaded Artifacts
run: ls -lha

- name: Install sbomasm
run: |
curl -L -o /tmp/sbomasm \
"https://github.com/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64"
chmod +x /tmp/sbomasm

- name: Augment harbor SPDX
run: |
# Augment the Generated SPDX with updated document information
# - Using `--append` option to ensure the author information is appended instead
# of replacing the tool information.
/tmp/sbomasm edit --append --subject Document \
--author 'CISA Tiger Group for SBOM Generation Reference Implementations' \
--supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \
--repository 'https://github.com/goharbor/harbor.git' \
--license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \
generated-harbor-sbom-spdx/generated-harbor-sbom.spdx.json > augmented_harbor-sbom.spdx.json

# Augment the Generated SPDX with updated primary component information
/tmp/sbomasm edit --subject primary-component \
--supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \
--repository 'https://github.com/goharbor/harbor.git' \
--license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \
augmented_harbor-sbom.spdx.json > /tmp/augmented_harbor-sbom.spdx.json

- name: Augment Harbor CycloneDX
run: |
# Augment the Generated CycloneDX with updated document information
/tmp/sbomasm edit --subject Document \
--author 'CISA Tiger Group for SBOM Generation Reference Implementations' \
--supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \
--lifecycle 'pre-build' \
--repository 'https://github.com/goharbor/harbor.git' \
--license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \
generated-harbor-sbom-cyclonedx/generated-harbor-sbom.cdx.json > augmented_harbor-sbom.cdx.json

# Augment the Generated CycloneDX with updated primary component information
/tmp/sbomasm edit --subject primary-component \
--author 'CISA Tiger Group for SBOM Generation Reference Implementations' \
--supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \
--repository 'https://github.com/goharbor/harbor.git' \
--license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \
augmented_harbor-sbom.cdx.json > /tmp/augmented_harbor-sbom.cdx.json

- name: Upload Augmented SPDX SBOM
uses: actions/upload-artifact@v4 # v4
with:
name: augmented-harbor-sbom-spdx
path: "/tmp/augmented_harbor-sbom.spdx.json"

- name: Upload Augmented CycloneDX SBOM
uses: actions/upload-artifact@v4 # v4
with:
name: augmented-harbor-sbom-cyclonedx
path: "/tmp/augmented_harbor-sbom.cdx.json"

Enrich:
runs-on: ubuntu-latest
needs: Augment
steps:

- uses: actions/checkout@v4 # v4
- name: Enrich Download all workflow run artifacts
uses: actions/download-artifact@v4 # v4

- name: Enrich Stage - List Downloaded Artifacts
run: ls -lha

- name: Enrich Stage - Download all workflow run artifacts
uses: actions/download-artifact@v4 # v4

- name: Install parlay
run: |
curl -Ls https://github.com/snyk/parlay/releases/download/v${PARLAY_VERSION}/parlay_Linux_x86_64.tar.gz | tar xvz -C /tmp
chmod +x /tmp/parlay

- name: Enrich Harbor CycloneDX
run: |
/tmp/parlay ecosystems enrich \
augmented-harbor-sbom-cyclonedx/augmented_harbor-sbom.cdx.json > /tmp/enriched_harbor-sbom.cdx.json

- name: Enrich Harbor SPDX
run: |
/tmp/parlay ecosystems enrich \
augmented-harbor-sbom-spdx/augmented_harbor-sbom.spdx.json > /tmp/enriched_harbor-sbom.spdx.json

- name: Upload Enriched SPDX SBOM
uses: actions/upload-artifact@v4 # v4
with:
name: enriched-harbor-sbom-spdx
path: "/tmp/enriched_harbor-sbom.spdx.json"

- name: Upload Enriched CycloneDX SBOM
uses: actions/upload-artifact@v4 # v4
with:
name: enriched-harbor-sbom-cyclonedx
path: "/tmp/enriched_harbor-sbom.cdx.json"

- name: Save Final SBOMs
run: |
cp /tmp/enriched_harbor-sbom.spdx.json /tmp/final_harbor-sbom.spdx.json
cp /tmp/enriched_harbor-sbom.cdx.json /tmp/final_harbor-sbom.cdx.json

- name: Upload Final SPDX SBOM
uses: actions/upload-artifact@v4 # v4
with:
name: final-harbor-sbom-spdx
path: "/tmp/final_harbor-sbom.spdx.json"

- name: Upload Final CycloneDX SBOM
uses: actions/upload-artifact@v4 # v4
with:
name: final-harbor-sbom-cyclonedx
path: "/tmp/final_harbor-sbom.cdx.json"

Validate:
needs: Enrich
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Download SBOMs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4

- name: Install sbomqs
run: |
curl -L -o /tmp/sbomqs \
"https://github.com/interlynk-io/sbomqs/releases/download/v${SBOMQS_VERSION}/sbomqs-linux-amd64"
chmod +x /tmp/sbomqs

- name: "Display SBOM quality score through sbomqs"
run: |
echo \`\`\` >> ${GITHUB_STEP_SUMMARY}
for SBOM in $(find . -iname final*.json); do
/tmp/sbomqs score "$SBOM" >> ${GITHUB_STEP_SUMMARY}
done
echo \`\`\` >> ${GITHUB_STEP_SUMMARY}
Loading