Generate SBOMs for a release #14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate SBOMs for a release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| #checkov:skip=CKV_GHA_7:This is a false positive | |
| release: | |
| description: 'SecObserve release (without the v)' | |
| required: true | |
| permissions: read-all | |
| jobs: | |
| generate_sboms: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| ref: 'v${{ github.event.inputs.release }}' | |
| - | |
| name: Install programs | |
| env: | |
| CYCLONE_DX_BOM_VERSION: 4.1.2 | |
| CYCLONE_DX_NPM_VERSION: 1.16.1 | |
| SBOM_UTILITY_VERSION: 0.15.0 | |
| PARLAY_VERSION: 0.3.0 | |
| TRIVY_VERSION: 0.49.1 | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y python3-pip npm | |
| python -m pip install --upgrade cyclonedx-bom=="$CYCLONE_DX_BOM_VERSION" | |
| npm install -g @cyclonedx/cyclonedx-npm@"$CYCLONE_DX_NPM_VERSION" | |
| cd /usr/local/bin | |
| wget --no-verbose https://github.com/CycloneDX/sbom-utility/releases/download/v"$SBOM_UTILITY_VERSION"/sbom-utility-v"$SBOM_UTILITY_VERSION"-linux-amd64.tar.gz -O - | tar -zxf - | |
| wget --no-verbose https://github.com/snyk/parlay/releases/download/v"$PARLAY_VERSION"/parlay_Linux_x86_64.tar.gz -O - | tar -zxf - | |
| wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v"$TRIVY_VERSION"/trivy_"$TRIVY_VERSION"_Linux-64bit.tar.gz -O - | tar -zxf - | |
| - | |
| name: Generate SBOM for backend application | |
| env: | |
| VERSION: ${{ github.event.inputs.release }} | |
| working-directory: ./sbom | |
| run: | | |
| sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_application.json | |
| cyclonedx-py poetry --only main,prod --output-format json ../backend \ | |
| | parlay ecosystems enrich - \ | |
| | sbom-utility trim --keys=externalReferences,properties,vulnerabilities --quiet --input-file - \ | |
| | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \ | |
| | sbom-utility patch --patch-file ./configuration/patch_backend_application.json --quiet --input-file - --output-file sbom_backend_application_"$VERSION".json | |
| sbom-utility validate --input-file sbom_backend_application_"$VERSION".json | |
| - | |
| name: Generate SBOM for frontend application | |
| env: | |
| VERSION: ${{ github.event.inputs.release }} | |
| working-directory: ./sbom | |
| run: | | |
| sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_application.json | |
| cyclonedx-npm --omit dev --package-lock-only --output-format JSON ../frontend/package-lock.json \ | |
| | parlay ecosystems enrich - \ | |
| | sbom-utility trim --keys=externalReferences,properties,vulnerabilities --quiet --input-file - \ | |
| | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \ | |
| | sbom-utility patch --patch-file ./configuration/patch_frontend_application.json --quiet --input-file - --output-file sbom_frontend_application_"$VERSION".json | |
| sbom-utility validate --input-file sbom_frontend_application_"$VERSION".json | |
| - | |
| name: Generate SBOM for backend container | |
| env: | |
| VERSION: ${{ github.event.inputs.release }} | |
| working-directory: ./sbom | |
| run: | | |
| sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_container.json | |
| trivy image --vuln-type os --scanners license --format cyclonedx --quiet maibornwolff/secobserve-backend:"$VERSION" \ | |
| | parlay ecosystems enrich - \ | |
| | sbom-utility trim --keys=externalReferences,properties,vulnerabilities --quiet --input-file - \ | |
| | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \ | |
| | sbom-utility patch --patch-file ./configuration/patch_backend_container.json --quiet --input-file - --output-file sbom_backend_container_"$VERSION".json | |
| sbom-utility validate --input-file sbom_backend_container_"$VERSION".json | |
| - | |
| name: Generate SBOM for frontend container | |
| env: | |
| VERSION: ${{ github.event.inputs.release }} | |
| working-directory: ./sbom | |
| run: | | |
| sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_container.json | |
| trivy image --vuln-type os --scanners license --format cyclonedx --quiet maibornwolff/secobserve-frontend:"$VERSION" \ | |
| | parlay ecosystems enrich - \ | |
| | sbom-utility trim --keys=externalReferences,properties,vulnerabilities --quiet --input-file - \ | |
| | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \ | |
| | sbom-utility patch --patch-file ./configuration/patch_frontend_container.json --quiet --input-file - --output-file sbom_frontend_container_"$VERSION".json | |
| sbom-utility validate --input-file sbom_frontend_container_"$VERSION".json | |
| - | |
| name: Commit SBOMs | |
| uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5 | |
| with: | |
| skip_fetch: true | |
| create_branch: true | |
| commit_message: "chore: generate SBOMs for release ${{ github.event.inputs.release }}" | |
| branch: "chore/sboms_release_${{ github.event.inputs.release }}" | |
| file_pattern: "sbom/sbom*.json" |