Create roadmap file for query module development. #101
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SBOM (Software Bill of Materials) Generation Workflow | ||
| # Generates SBOM using Syft and attests with Cosign | ||
| # Compliant with: BSI C5 (SSO-02), NIS2, NIST SSDF, Executive Order 14028 | ||
| name: SBOM Generation | ||
| on: | ||
| push: | ||
| tags: ['v*'] | ||
| release: | ||
| types: [published] | ||
| workflow_dispatch: | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write # For Cosign signing | ||
| jobs: | ||
| generate-sbom: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Install Syft | ||
| uses: anchore/sbom-action/download-syft@v0 | ||
| - name: Generate SBOM (SPDX) | ||
| run: | | ||
| syft . -o spdx-json=sbom-spdx.json | ||
| syft . -o spdx=sbom-spdx.spdx | ||
| - name: Generate SBOM (CycloneDX) | ||
| run: | | ||
| syft . -o cyclonedx-json=sbom-cyclonedx.json | ||
| syft . -o cyclonedx-xml=sbom-cyclonedx.xml | ||
| - name: Generate SBOM Summary | ||
| run: | | ||
| syft . -o table > sbom-summary.txt | ||
| echo "### SBOM Summary" >> $GITHUB_STEP_SUMMARY | ||
| echo '```' >> $GITHUB_STEP_SUMMARY | ||
| cat sbom-summary.txt >> $GITHUB_STEP_SUMMARY | ||
| echo '```' >> $GITHUB_STEP_SUMMARY | ||
| - name: Upload SBOM Artifacts | ||
| if: env.ACT != 'true' | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: sbom-artifacts | ||
| path: | | ||
| sbom-spdx.json | ||
| sbom-spdx.spdx | ||
| sbom-cyclonedx.json | ||
| sbom-cyclonedx.xml | ||
| sbom-summary.txt | ||
| retention-days: 90 | ||
| - name: Upload SBOM to Release | ||
| if: github.event_name == 'release' | ||
| uses: softprops/action-gh-release@v1 | ||
| with: | ||
| files: | | ||
| sbom-spdx.json | ||
| sbom-cyclonedx.json | ||
| vulnerability-scan: | ||
| needs: generate-sbom | ||
| runs-on: ubuntu-latest | ||
| if: env.ACT != 'true' | ||
| steps: | ||
| - name: Download SBOM | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: sbom-artifacts | ||
| - name: Install Grype | ||
| uses: anchore/scan-action/download-grype@v3 | ||
| - name: Scan SBOM for Vulnerabilities | ||
| run: | | ||
| grype sbom:sbom-cyclonedx.json -o table > vulnerability-report.txt | ||
| grype sbom:sbom-cyclonedx.json -o json > vulnerability-report.json | ||
| # Summary | ||
| echo "### Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY | ||
| echo '```' >> $GITHUB_STEP_SUMMARY | ||
| head -50 vulnerability-report.txt >> $GITHUB_STEP_SUMMARY | ||
| echo '```' >> $GITHUB_STEP_SUMMARY | ||
| - name: Upload Vulnerability Report | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: vulnerability-report | ||
| path: | | ||
| vulnerability-report.txt | ||
| vulnerability-report.json | ||
| retention-days: 90 | ||
| - name: Check for Critical Vulnerabilities | ||
| run: | | ||
| CRITICAL=$(grype sbom:sbom-cyclonedx.json -o json | jq '[.matches[] | select(.vulnerability.severity == "Critical")] | length') | ||
| HIGH=$(grype sbom:sbom-cyclonedx.json -o json | jq '[.matches[] | select(.vulnerability.severity == "High")] | length') | ||
| echo "Critical: $CRITICAL, High: $HIGH" | ||
| if [ "$CRITICAL" -gt 0 ]; then | ||
| echo "::warning::$CRITICAL critical vulnerabilities found!" | ||
| fi | ||
| if [ "$HIGH" -gt 5 ]; then | ||
| echo "::warning::$HIGH high vulnerabilities found!" | ||
| fi | ||
