Add SBOM generation and scanning workflow (#153)

* ci: Add a workflow that can perform an SBOM generation and scan. * ci: Update conditional check in SARIF upload step. * ci: Create a lockfile so that syft can read the dependencies.
tektronix · Feb 28, 2024 · 4a9875e · 4a9875e
1 parent c283006
commit 4a9875e
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
@@ -0,0 +1,38 @@
+---
+name: Create & Scan SBOM
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  release:
+    types: [published]
+jobs:
+  create-and-scan-sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: x  # any version
+      - name: Create lockfile
+        run: |
+          pip install poetry
+          poetry lock
+      - name: Create SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: spdx-json
+          output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+      - name: Scan SBOM
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          fail-build: true
+          severity-cutoff: low
+      - name: Upload SBOM scan SARIF report
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}