Merge pull request #50 from CISA-SBOM-Community/dependabot/github_act… #116
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Phase 1 - Python | |
| on: | |
| push: | |
| paths: | |
| - .github/workflows/phase_1_python.yml | |
| - 'phase_1/Python/**' | |
| env: | |
| PARLAY_VERSION: 0.6.0 | |
| SBOMASM_VERSION: 0.1.5 | |
| SBOMQS_VERSION: 0.1.9 | |
| SEMVER: 0.1.0 | |
| TRIVY_VERSION: 0.54.1 | |
| SBOM_AUTHOR: "CISA Tiger Group for SBOM Generation Reference Implementations" | |
| SBOM_SUPPLIER: "CISA Tiger Group for SBOM Generation Reference Implementations" | |
| jobs: | |
| Generate_Container: | |
| name: "Generate Container SBOM" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| # We're using native docker build here rather | |
| # than 'docker/build-push-action' to make the run | |
| # more pipeline agnostic. | |
| - name: Build Docker image | |
| working-directory: "phase_1/Python" | |
| run: | | |
| docker build -t phase-1-python . | |
| - name: Install Trivy | |
| run: | | |
| curl -L -o /tmp/trivy.tgz \ | |
| "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | |
| tar xvf /tmp/trivy.tgz -C /tmp | |
| chmod +x /tmp/trivy | |
| - name: Generate SBOM with Trivy | |
| working-directory: "phase_1/Python" | |
| run: | | |
| /tmp/trivy image \ | |
| --format cyclonedx \ | |
| --pkg-types os \ | |
| --output /tmp/container-sbom.cdx.json \ | |
| phase-1-python | |
| /tmp/trivy image \ | |
| --format spdx-json \ | |
| --pkg-types os \ | |
| --output /tmp/container-sbom.spdx.json \ | |
| phase-1-python | |
| - name: Upload CycloneDX SBOM | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: container-sbom-cyclonedx | |
| path: "/tmp/container-sbom.cdx.json" | |
| - name: Upload SPDX SBOM | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: container-sbom-spdx | |
| path: "/tmp/container-sbom.spdx.json" | |
| Generate_Application: | |
| name: "Generate Application SBOM" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Install Trivy | |
| run: | | |
| curl -L -o /tmp/trivy.tgz \ | |
| "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | |
| tar xvf /tmp/trivy.tgz -C /tmp | |
| chmod +x /tmp/trivy | |
| - name: "CycloneDX: Generate SBOM" | |
| working-directory: "phase_1/Python" | |
| run: | | |
| /tmp/trivy fs \ | |
| --format cyclonedx \ | |
| --output /tmp/application-sbom.cdx.json \ | |
| requirements.txt | |
| - name: "SPDX: Generate SBOM" | |
| working-directory: "phase_1/Python" | |
| run: | | |
| /tmp/trivy fs \ | |
| --format spdx-json \ | |
| --output /tmp/application-sbom.spdx.json \ | |
| requirements.txt | |
| - name: Upload CycloneDX SBOM | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: application-sbom-cyclonedx | |
| path: "/tmp/application-sbom.cdx.json" | |
| - name: Upload SPDX SBOM | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: application-sbom-spdx | |
| path: "/tmp/application-sbom.spdx.json" | |
| Augment: | |
| name: "Augment SBOMs" | |
| runs-on: ubuntu-latest | |
| needs: [Generate_Container, Generate_Application] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Download all workflow run artifacts | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| - name: Install sbomasm | |
| run: | | |
| curl -L -o /tmp/sbomasm \ | |
| "https://github.com/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64" | |
| chmod +x /tmp/sbomasm | |
| - name: "CycloneDX: Augment Container SBOM" | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --subject Document \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| container-sbom-cyclonedx/container-sbom.cdx.json > /tmp/augmented_container-sbom.cdx.tmp | |
| /tmp/sbomasm edit \ | |
| --subject primary-component \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --version "$GITHUB_SHA" \ | |
| --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| /tmp/augmented_container-sbom.cdx.tmp > /tmp/augmented_container-sbom.cdx.json | |
| - name: "CycloneDX: Augment Application SBOM" | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --subject Document \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ | |
| --lifecycle pre-build \ | |
| --license 'Apache-2.0' \ | |
| application-sbom-cyclonedx/application-sbom.cdx.json > /tmp/augmented_application-sbom.cdx.tmp | |
| /tmp/sbomasm edit \ | |
| --subject primary-component \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --version "$GITHUB_SHA" \ | |
| --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| /tmp/augmented_application-sbom.cdx.tmp >/tmp/augmented_application-sbom.cdx.json | |
| - name: "SPDX: Augment Container SBOM" | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --append \ | |
| --subject Document \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ | |
| --lifecycle pre-build \ | |
| --license 'Apache-2.0' \ | |
| container-sbom-spdx/container-sbom.spdx.json > /tmp/augmented_container-sbom.spdx.tmp | |
| /tmp/sbomasm edit \ | |
| --subject primary-component \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --version "$GITHUB_SHA" \ | |
| --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| /tmp/augmented_container-sbom.spdx.tmp > /tmp/augmented_container-sbom.spdx.json | |
| - name: "SPDX: Augment Application SBOM" | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --append \ | |
| --subject Document \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ | |
| --lifecycle pre-build \ | |
| --license 'Apache-2.0' \ | |
| application-sbom-spdx/application-sbom.spdx.json > /tmp/augmented_application-sbom.spdx.tmp | |
| /tmp/sbomasm edit \ | |
| --subject primary-component \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --version "$GITHUB_SHA" \ | |
| --repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| /tmp/augmented_application-sbom.spdx.tmp > /tmp/augmented_application-sbom.spdx.json | |
| - name: Upload Augmented SBOMs | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: augmented-sboms | |
| path: "/tmp/augmented_*.json" | |
| Enrich: | |
| name: "Enrich SBOMs" | |
| runs-on: ubuntu-latest | |
| needs: [Augment] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Download all workflow run artifacts | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| - name: Install parlay | |
| run: | | |
| curl -Ls https://github.com/snyk/parlay/releases/download/v${PARLAY_VERSION}/parlay_Linux_x86_64.tar.gz | tar xvz -C /tmp | |
| chmod +x /tmp/parlay | |
| - name: "CycloneDX: Enrich SBOMs" | |
| run: | | |
| /tmp/parlay ecosystems enrich \ | |
| augmented-sboms/augmented_container-sbom.cdx.json > /tmp/enriched_container-sbom.cdx.json | |
| /tmp/parlay ecosystems enrich \ | |
| augmented-sboms/augmented_application-sbom.cdx.json > /tmp/enriched_application-sbom.cdx.json | |
| - name: "SPDX: Enrich SBOMs" | |
| run: | | |
| /tmp/parlay ecosystems enrich \ | |
| augmented-sboms/augmented_container-sbom.spdx.json > /tmp/enriched_container-sbom.spdx.json | |
| /tmp/parlay ecosystems enrich \ | |
| augmented-sboms/augmented_application-sbom.spdx.json > /tmp/enriched_application-sbom.spdx.json | |
| - name: Upload Enriched SBOMs | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: enriched-sboms | |
| path: "/tmp/enriched_*.json" | |
| Validate: | |
| name: "Validate SBOMs" | |
| needs: Enrich | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Download SBOMs | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| - name: Install sbomqs | |
| run: | | |
| curl -L -o /tmp/sbomqs \ | |
| "https://github.com/interlynk-io/sbomqs/releases/download/v${SBOMQS_VERSION}/sbomqs-linux-amd64" | |
| chmod +x /tmp/sbomqs | |
| - name: "Display SBOM quality score through sbomqs" | |
| run: | | |
| echo \`\`\` >> ${GITHUB_STEP_SUMMARY} | |
| for SBOM in $(find . -iname *.json); do | |
| /tmp/sbomqs score "$SBOM" >> ${GITHUB_STEP_SUMMARY} | |
| done | |
| echo \`\`\` >> ${GITHUB_STEP_SUMMARY} |