SBOM generation final #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: SBOM generation final | |
on: | |
workflow_dispatch: | |
jobs: | |
## Exercise SBOM generation | |
sbom: | |
name: Generate app SBOM | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
project: ["dvna", "vulnado"] | |
cdx_spec_version: ["1.5"] | |
include: | |
- project: vulnado | |
cdx_spec_version: "1.5" | |
cdx_image: ghcr.io/cyclonedx/cdxgen-java:v10 | |
- project: dvna | |
cdx_spec_version: "1.5" | |
cdx_image: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3 | |
container: | |
image: ${{matrix.cdx_image}} | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@v4 | |
- name: Generate SBOMs | |
run: | | |
cd vuln_apps/${{ matrix.project }} | |
cdxgen \ | |
--format json \ | |
--spec-version="${{matrix.cdx_spec_version}}" \ | |
--project-name="${{ matrix.project }}" \ | |
--project-version="build-${{ github.run_number }}" \ | |
-o "${{ matrix.project }}_bom.json" | |
- name: Upload results | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-${{matrix.project}} | |
path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" | |
retention-days: 5 | |
if-no-files-found: error | |
## Exercise Docker SBOM generation | |
sbom-docker: | |
name: Generate docker SBOM | |
runs-on: ubuntu-latest | |
container: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3 | |
strategy: | |
fail-fast: false | |
matrix: | |
project: ["dvna", "vulnado"] | |
cdx_spec_version: ["1.5"] | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@v4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build Docker image | |
id: build-image | |
uses: docker/build-push-action@v5 | |
with: | |
context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}" | |
push: false | |
load: true | |
tags: ${{ matrix.project }}:latest | |
- name: Generate docker SBOMs | |
run: > | |
cdxgen | |
--type docker | |
--format json | |
--spec-version="${{matrix.cdx_spec_version}}" | |
--project-name="${{ matrix.project }}" | |
--project-version="build-${{ github.run_number }}" | |
-o "${{ matrix.project }}-docker_bom.json" | |
${{ matrix.project }}:latest | |
- name: upload Artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-${{matrix.project}}-docker | |
path: ${{ matrix.project }}-docker_bom.json | |
retention-days: 5 | |
if-no-files-found: error | |
## Exercise Merge multiple SBOMs | |
merge-sbom: | |
name: Merge previously generated SBOM | |
runs-on: ubuntu-latest | |
needs: ["sbom", "sbom-docker"] | |
container: cyclonedx/cyclonedx-cli:0.27.1 | |
strategy: | |
fail-fast: false | |
matrix: | |
project: ["dvna", "vulnado"] | |
steps: | |
- name: Download artifact sbom | |
uses: actions/download-artifact@v4 | |
with: | |
name: sbom-${{matrix.project}} | |
path: ./sboms-${{matrix.project}} | |
- name: Download artifact sbom-docker | |
uses: actions/download-artifact@v4 | |
with: | |
name: sbom-${{matrix.project}}-docker | |
path: ./sboms-${{matrix.project}} | |
- name: Merge previously generated sboms | |
run: > | |
cyclonedx merge | |
--input-files sboms-${{matrix.project}}/${{ matrix.project }}_bom.json sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json | |
--output-file ${{ matrix.project }}_merged_sbom.json | |
--hierarchical | |
--name ${{ matrix.project }} | |
--version "build-${{ github.run_number }}" | |
--group devsecops-exercises | |
- name: upload Artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-${{matrix.project}}-merged | |
path: ${{ matrix.project }}_merged_sbom.json | |
retention-days: 5 | |
if-no-files-found: error |