sbom-vulns.yml

name: "Syft & Grype SBOM and Vuln Scan"

on:
  pull_request:
    branches: [ master ]

jobs:
  Anchore-Syft-Grype:
    runs-on: ubuntu-latest

    steps:
      # Checkout le branch
      - name: Checkout
        uses: actions/checkout@v4

      # Build the ElectricEye Docker Image, locally
      - name: Build ElectricEye Docker Image
        run: docker build . --file Dockerfile --tag localbuild/electriceye:latest

      # Generate an CycloneDX JSON SBOM with Syft on the Image
      - name: Generate CDX SBOM
        uses: anchore/sbom-action@v0
        with:
          image: localbuild/electriceye:latest
          format: cyclonedx-json # the One True SBOM Format
          artifact-name: "${{ github.event.repository.name }}-sbom.spdx.json"
          output-file: "${{ github.event.repository.name }}-sbom.spdx.json"

      # Print SBOM to stdout
      - name: SBOM Printer Goes Brrrr
        run: cat "${{ github.event.repository.name }}-sbom.spdx.json"

      # Scan the CDX SBOM with Grype
      - name: Grype Scan SBOM
        uses: anchore/scan-action@v5.2.0
        id: scan
        with:
          output-format: sarif
          sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
          severity-cutoff: critical
          fail-build: true
          only-fixed: true

      # Print Grype SARIF Report to stdout
      - name: View Grype Scan SBOM Report
        if: always() # run when build fails too
        run: cat "${{ steps.scan.outputs.sarif }}"

      # Upload Grype SARIF Report to GitHub Security
      - name: Upload Grype Scan SBOM Report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}