SBOM generation #2

Workflow file for this run

.github/workflows/vuln_man.yml at 0f62312

	name: SBOM generation final

	on:
	workflow_dispatch:

	jobs:
	sbom:
	name: Generate app SBOM
	runs-on: ubuntu-latest
	container: quay.io/pluribus_one/sbom_vex_scanner:latest
	strategy:
	fail-fast: false
	matrix:
	project: ["dvna", "vulnado"]

	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4

	- name: Generate SBOMs
	run: \|
	cd vuln_apps/${{ matrix.project }}
	cdxgen --format json -o "${{ matrix.project }}_bom.json"

	- name: Upload results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: sbom-${{matrix.project}}
	path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json"
	retention-days: 5
	if-no-files-found: error

	sbom-docker:
	name: Generate docker SBOM
	runs-on: ubuntu-latest
	container: quay.io/pluribus_one/sbom_vex_scanner:latest
	strategy:
	fail-fast: false
	matrix:
	project: ["dvna", "vulnado"]

	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Build Docker image
	id: build-image
	uses: docker/build-push-action@v5
	with:
	context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}"
	push: false
	load: true
	tags: ${{ matrix.project }}:latest

	- name: Generate docker SBOMs
	run: \|
	cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest

	- name: upload Artifacts
	uses: actions/upload-artifact@v4
	with:
	name: sbom-${{matrix.project}}-docker
	path: ${{ matrix.project }}-docker_bom.json
	retention-days: 5
	if-no-files-found: error

	merge-sbom:
	name: Merge previously generated SBOM
	runs-on: ubuntu-latest
	needs: ["sbom", "sbom-docker"]
	container: cyclonedx/cyclonedx-cli:0.25.0
	strategy:
	fail-fast: false
	matrix:
	project: ["dvna", "vulnado"]

	steps:
	- name: Download artifact sbom
	uses: actions/download-artifact@v4
	with:
	name: sbom-${{matrix.project}}
	path: ./sboms-${{matrix.project}}

	- name: Download artifact sbom-docker
	uses: actions/download-artifact@v4
	with:
	name: sbom-${{matrix.project}}-docker
	path: ./sboms-${{matrix.project}}

	- name: Merge previously generated sboms
	run: \|
	cyclonedx merge --input-files sboms-${{matrix.project}}/${{ matrix.project }}_bom.json sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} --group devsecops-exercises

	- name: upload Artifacts
	uses: actions/upload-artifact@v4
	with:
	name: sbom-${{matrix.project}}-merged
	path: ${{ matrix.project }}_merged_sbom.json
	retention-days: 5
	if-no-files-found: error

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SBOM generation #2

Workflow file

SBOM generation #2

Jobs

Run details

Workflow file for this run