From 4007bacbc41662f07f53265b1d74d5969f6e53ec Mon Sep 17 00:00:00 2001 From: Andre Vieira Date: Thu, 21 Mar 2024 11:30:49 +0000 Subject: [PATCH] chore(actions): cyclonedx sbom --- .github/workflows/prereleased.yaml | 35 ++++------------------------ .github/workflows/pull-request.yaml | 36 +++++++---------------------- 2 files changed, 12 insertions(+), 59 deletions(-) diff --git a/.github/workflows/prereleased.yaml b/.github/workflows/prereleased.yaml index 164fe13..417368a 100644 --- a/.github/workflows/prereleased.yaml +++ b/.github/workflows/prereleased.yaml @@ -24,7 +24,6 @@ env: AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} SBOM_FILENAME: docker-sbom - NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }} @@ -92,26 +91,12 @@ jobs: load: true tags: ${{ env.DOCKER_IMAGE_TAG }} - - name: Create Docker SBOM + - name: Create SBOM uses: anchore/sbom-action@v0 with: upload-artifact-retention: 1 - image: ${{ steps.docker_build.outputs.imageId }} - format: spdx-json - upload-release-assets: false - output-file: ${{ env.SBOM_FILENAME }}.spdx.json - - - name: Scan SBOM - id: scan_sbom - uses: anchore/scan-action@v3 - with: - sbom: ${{ env.SBOM_FILENAME }}.spdx.json - output-format: sarif - fail-build: false - - - name: Determine number of noticiable vulnerabilities - id: count_vulnerabilities - run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT + format: cyclonedx-json + output-file: ${{ env.SBOM_FILENAME }}.cyclonedx.json - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 @@ -121,19 +106,7 @@ jobs: - name: Copy SBOM to S3 run: | - aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json - aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif - - - name: Update Notion Page - uses: ydataai/update-notion-page@v1 - env: - STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }} - STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }} - with: - notion_secret: ${{ secrets.NOTION_SECRET }} - notion_database_id: ${{ env.NOTION_DATABASE_ID }} - notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }' - notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }' + aws s3 cp ${{ env.SBOM_FILENAME }}.cyclonedx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ matrix.package }}-${{ env.SBOM_FILENAME }}.cyclonedx.json - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 9bd9ab5..2711f95 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -3,19 +3,17 @@ name: Pull request on: - push: - branches: - - renovate/** pull_request: branches: - master + types: + - ready_for_review env: AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} SBOM_FILENAME: package-sbom - NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }} @@ -73,18 +71,12 @@ jobs: format: spdx-json output-file: ${{ env.SBOM_FILENAME }}.spdx.json - - name: Scan SBOM - id: scan_sbom - uses: anchore/scan-action@v3 + - name: Create SBOM + uses: anchore/sbom-action@v0 with: - sbom: ${{ env.SBOM_FILENAME }}.spdx.json - output-format: sarif - fail-build: false - - - name: Determine number of noticiable vulnerabilities - id: count_vulnerabilities - run: | - echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT + upload-artifact-retention: 1 + format: cyclonedx-json + output-file: ${{ env.SBOM_FILENAME }}.cyclonedx.json - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 @@ -94,16 +86,4 @@ jobs: - name: Copy SBOM to S3 run: | - aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json - aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif - - - name: Update Notion Page - uses: ydataai/update-notion-page@v1 - env: - STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }} - STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }} - with: - notion_secret: ${{ secrets.NOTION_SECRET }} - notion_database_id: ${{ env.NOTION_DATABASE_ID }} - notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }' - notion_page_update_properties: '{ "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }' + aws s3 cp ${{ env.SBOM_FILENAME }}.cyclonedx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.cyclonedx.json