Merge pull request #26 from githubabcs-devops/feature/update09

CalinL · web-flow · commit c046501cec66 · 2025-04-21T12:40:42.000-04:00
Add SBOM upload steps and update permissions in workflow files
diff --git a/.github/workflows/CIS-Anchore-Grype.yml b/.github/workflows/CIS-Anchore-Grype.yml
@@ -18,6 +18,7 @@ env:
 
 permissions:
   contents: read # for actions/checkout to fetch code
+  id-token: write
   security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
   actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
   
@@ -52,3 +53,9 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+      
+      - name: Upload alerts file as a workflow artifact
+        uses: actions/upload-artifact@v4
+        with:  
+          name: alerts
+          path: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/CIS-Trivy-AquaSecurity.yml b/.github/workflows/CIS-Trivy-AquaSecurity.yml
@@ -18,6 +18,7 @@ env:
 
 permissions:
   contents: read # for actions/checkout to fetch code
+  id-token: write
   security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
   actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
   
@@ -47,3 +48,10 @@ jobs:
         if: always()
         with:
           sarif_file: "trivy-results.sarif"
+
+      - name: Upload alerts file as a workflow artifact
+        uses: actions/upload-artifact@v4
+        with:  
+          name: alerts
+          path: "trivy-results.sarif"
+      
diff --git a/.github/workflows/SCA-Anchore-Syft-SBOM.yml b/.github/workflows/SCA-Anchore-Syft-SBOM.yml
@@ -37,3 +37,8 @@ jobs:
           image: "${{ env.imageName }}:${{ env.tag }}"
           artifact-name: image.spdx.json
           dependency-snapshot: true
+      
+      - name: SBOM upload 
+        uses: advanced-security/spdx-dependency-submission-action@v0.1.1
+        with:
+          filePath: "image.spdx.json"
diff --git a/.github/workflows/SCA-Microsoft-SBOM.yml b/.github/workflows/SCA-Microsoft-SBOM.yml
@@ -2,8 +2,9 @@
 
 name: SCA - Microsoft SBOM Tool
 
-on: 
-  workflow_dispatch:
+on:
+  push:
+    branches: [main]
 
 env:
   SRC_PROJECT_PATH: '/webapp01/webapp01.csproj' 
@@ -37,4 +38,9 @@ jobs:
     - name: Upload a Build Artifact
       uses: actions/upload-artifact@v4
       with:
-        path: buildOutput
+        path: buildOutput
+
+    - name: SBOM upload 
+      uses: advanced-security/spdx-dependency-submission-action@v0.1.1
+      with:
+        filePath: "_manifest/spdx_2.2/"
diff --git a/src/webapp01/Dockerfile b/src/webapp01/Dockerfile
@@ -2,7 +2,6 @@
 
 # This stage is used when running from VS in fast mode (Default for Debug configuration)
 FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base
-USER $APP_UID
 WORKDIR /app
 EXPOSE 8080
 EXPOSE 8081
