@@ -66,16 +66,15 @@ jobs:
6666 script : return await core.getIDToken("sigstore")
6767 result-encoding : string
6868
69- # Step 2: SAST scan producing SARIF
69+ # Step 2: SAST scan — gosec runs INSIDE cilock so SARIF file is a product
7070 - name : sast-scan
7171 run : |
72- # Run gosec, output SARIF (allow non-zero exit — findings are expected)
73- gosec -fmt sarif -out gosec-results.sarif ./... || true
7472 cilock run --step sast-scan \
7573 -a environment \
7674 -a git \
7775 -a github \
7876 -a sarif \
77+ --attestor-product-include-glob "*.sarif" \
7978 --signer-fulcio-url "$STAGING_URL" \
8079 --signer-fulcio-use-http \
8180 --signer-fulcio-token "${{ steps.oidc_sast.outputs.result }}" \
8584 --enable-archivista \
8685 --archivista-server "$STAGING_URL/archivista" \
8786 --archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
88- -- echo "sast scan complete "
87+ -- bash -c "gosec -fmt sarif -out gosec-results.sarif ./... || true "
8988
9089 - name : refresh oidc token for test
9190 id : oidc_test
@@ -119,11 +118,9 @@ jobs:
119118 script : return await core.getIDToken("sigstore")
120119 result-encoding : string
121120
122- # Step 4: Build binary + generate SBOM with syft
121+ # Step 4: Build binary + SBOM — syft runs INSIDE cilock so SBOM is a product
123122 - name : build
124123 run : |
125- CGO_ENABLED=0 go build -o bin/dropbox-clone ./cmd/api
126- syft bin/dropbox-clone -o cyclonedx-json=sbom.cdx.json
127124 cilock run --step build \
128125 -a environment \
129126 -a git \
@@ -139,7 +136,7 @@ jobs:
139136 --enable-archivista \
140137 --archivista-server "$STAGING_URL/archivista" \
141138 --archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
142- -- echo " build complete "
139+ -- bash -c "CGO_ENABLED=0 go build -o bin/dropbox-clone ./cmd/api && syft bin/dropbox-clone -o cyclonedx-json=sbom.cdx.json "
143140
144141 - name : refresh oidc token for docker
145142 id : oidc_docker
0 commit comments