ai-bom/templates/gitlab-ci-ai-bom.yml at main · Trusera/ai-bom · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# Trusera AI-BOM Scanner - GitLab CI Template
#
# Discovers and inventories AI/LLM agents, models, and API integrations
# in your codebase. Generates SBOM-style reports in SARIF, CycloneDX,
# SPDX, and more.
#
# Include in your .gitlab-ci.yml:
#
#   include:
#     - remote: 'https://raw.githubusercontent.com/Trusera/ai-bom/main/templates/gitlab-ci-ai-bom.yml'
#
# Or copy this file into your repository and include locally:
#
#   include:
#     - local: '.gitlab/ci/ai-bom.yml'
#
# Override variables in your .gitlab-ci.yml:
#
#   variables:
#     AI_BOM_FAIL_ON: "high"
#     AI_BOM_DEEP_SCAN: "true"
#     AI_BOM_POLICY_FILE: ".cedar/ai-policy.cedar"

stages:
  - security

variables:
  AI_BOM_VERSION: "latest"
  AI_BOM_SCAN_PATH: "."
  AI_BOM_FORMAT: "sarif"
  AI_BOM_FAIL_ON: ""
  AI_BOM_DEEP_SCAN: "false"
  AI_BOM_POLICY_FILE: ""
  AI_BOM_CEDAR_GATE_URL: "https://raw.githubusercontent.com/Trusera/ai-bom/main/scripts/cedar-gate.py"

# ──────────────────────────────────────────────────
# Job: ai-bom-scan
# Runs the AI-BOM scanner and produces a report artifact.
# When format is "sarif", the report is automatically
# integrated with GitLab's SAST results view.
# ──────────────────────────────────────────────────
ai-bom-scan:
  stage: security
  image: python:3.12-slim
  before_script:
    - |
      if [ "${AI_BOM_VERSION}" = "latest" ]; then
        pip install --quiet ai-bom
      else
        pip install --quiet "ai-bom==${AI_BOM_VERSION}"
      fi
  script:
    - |
      ARGS="scan ${AI_BOM_SCAN_PATH} --format ${AI_BOM_FORMAT} --quiet"

      # Output file — extension matches format
      case "${AI_BOM_FORMAT}" in
        sarif)    ARGS="${ARGS} -o ai-bom-report.sarif" ;;
        cyclonedx) ARGS="${ARGS} -o ai-bom-report.cdx.json" ;;
        spdx)     ARGS="${ARGS} -o ai-bom-report.spdx.json" ;;
        json)     ARGS="${ARGS} -o ai-bom-report.json" ;;
        csv)      ARGS="${ARGS} -o ai-bom-report.csv" ;;
        html)     ARGS="${ARGS} -o ai-bom-report.html" ;;
        markdown) ARGS="${ARGS} -o ai-bom-report.md" ;;
        *)        ARGS="${ARGS} -o ai-bom-report.txt" ;;
      esac

      if [ "${AI_BOM_DEEP_SCAN}" = "true" ]; then
        ARGS="${ARGS} --deep"
      fi

      if [ -n "${AI_BOM_FAIL_ON}" ]; then
        ARGS="${ARGS} --fail-on ${AI_BOM_FAIL_ON}"
      fi

      echo "Running: ai-bom ${ARGS}"
      ai-bom ${ARGS}
  artifacts:
    reports:
      sast: ai-bom-report.sarif
    paths:
      - ai-bom-report.*
    when: always
    expire_in: 30 days
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
  allow_failure: false

# ──────────────────────────────────────────────────
# Job: ai-bom-policy-gate (optional)
# Evaluates scan results against a Cedar-like policy file.
# Only runs when AI_BOM_POLICY_FILE is set.
# ──────────────────────────────────────────────────
ai-bom-policy-gate:
  stage: security
  image: python:3.12-slim
  needs: ["ai-bom-scan"]
  before_script:
    - |
      if [ "${AI_BOM_VERSION}" = "latest" ]; then
        pip install --quiet ai-bom
      else
        pip install --quiet "ai-bom==${AI_BOM_VERSION}"
      fi
  script:
    - |
      if [ -z "${AI_BOM_POLICY_FILE}" ]; then
        echo "No policy file specified, skipping policy gate"
        exit 0
      fi

      if [ ! -f "${AI_BOM_POLICY_FILE}" ]; then
        echo "Error: policy file not found: ${AI_BOM_POLICY_FILE}"
        exit 1
      fi

      echo "Generating JSON scan results for policy evaluation..."
      SCAN_ARGS="scan ${AI_BOM_SCAN_PATH} --format json --quiet -o policy-results.json"
      if [ "${AI_BOM_DEEP_SCAN}" = "true" ]; then
        SCAN_ARGS="${SCAN_ARGS} --deep"
      fi
      ai-bom ${SCAN_ARGS}

      echo "Downloading Cedar policy gate script..."
      curl -sSfL "${AI_BOM_CEDAR_GATE_URL}" -o cedar-gate.py

      echo "Evaluating policy: ${AI_BOM_POLICY_FILE}"
      python3 cedar-gate.py policy-results.json "${AI_BOM_POLICY_FILE}"
  artifacts:
    paths:
      - policy-results.json
    when: always
    expire_in: 30 days
  rules:
    - if: '$AI_BOM_POLICY_FILE != ""'
  allow_failure: false