Skip to content

Commit

Permalink
chore(actions): cyclonedx sbom
Browse files Browse the repository at this point in the history
  • Loading branch information
Andre Vieira committed Mar 21, 2024
1 parent 1c2d31d commit 4d0d59d
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 60 deletions.
35 changes: 4 additions & 31 deletions .github/workflows/prereleased.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ env:

AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
SBOM_FILENAME: docker-sbom
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}



Expand Down Expand Up @@ -89,26 +88,12 @@ jobs:
load: true
tags: ${{ env.DOCKER_IMAGE_TAG }}

- name: Create Docker SBOM
- name: Create SBOM
uses: anchore/sbom-action@v0
with:
upload-artifact-retention: 1
image: ${{ steps.docker_build.outputs.imageId }}
format: spdx-json
upload-release-assets: false
output-file: ${{ env.SBOM_FILENAME }}.spdx.json

- name: Scan SBOM
id: scan_sbom
uses: anchore/scan-action@v3
with:
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
output-format: sarif
fail-build: false

- name: Determine number of noticiable vulnerabilities
id: count_vulnerabilities
run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
format: cyclonedx-json
output-file: ${{ env.SBOM_FILENAME }}.cyclonedx.json

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
Expand All @@ -118,19 +103,7 @@ jobs:

- name: Copy SBOM to S3
run: |
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
- name: Update Notion Page
uses: ydataai/update-notion-page@v1
env:
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
with:
notion_secret: ${{ secrets.NOTION_SECRET }}
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
aws s3 cp ${{ env.SBOM_FILENAME }}.cyclonedx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ matrix.package }}-${{ env.SBOM_FILENAME }}.cyclonedx.json
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
Expand Down
34 changes: 5 additions & 29 deletions .github/workflows/pull-request.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,14 @@ on:
pull_request:
branches:
- master
types:
- ready_for_review



env:
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
SBOM_FILENAME: package-sbom
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}



Expand Down Expand Up @@ -67,21 +68,8 @@ jobs:
uses: anchore/sbom-action@v0
with:
upload-artifact-retention: 1
format: spdx-json
output-file: ${{ env.SBOM_FILENAME }}.spdx.json

- name: Scan SBOM
id: scan_sbom
uses: anchore/scan-action@v3
with:
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
output-format: sarif
fail-build: false

- name: Determine number of noticiable vulnerabilities
id: count_vulnerabilities
run: |
echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
format: cyclonedx-json
output-file: ${{ env.SBOM_FILENAME }}.cyclonedx.json

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
Expand All @@ -91,16 +79,4 @@ jobs:

- name: Copy SBOM to S3
run: |
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
- name: Update Notion Page
uses: ydataai/update-notion-page@v1
env:
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
with:
notion_secret: ${{ secrets.NOTION_SECRET }}
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
notion_page_update_properties: '{ "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
aws s3 cp ${{ env.SBOM_FILENAME }}.cyclonedx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.cyclonedx.json

0 comments on commit 4d0d59d

Please sign in to comment.