From 4a9875e57732f8367a4629db83e2f8ab6eb9bcc7 Mon Sep 17 00:00:00 2001
From: Nicholas Felt <nicholas.felt@tektronix.com>
Date: Wed, 28 Feb 2024 11:26:53 -0800
Subject: [PATCH] Add SBOM generation and scanning workflow (#153)

* ci: Add a workflow that can perform an SBOM generation and scan.

* ci: Update conditional check in SARIF upload step.

* ci: Create a lockfile so that syft can read the dependencies.
---
 .github/workflows/sbom-scan.yml | 38 +++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/sbom-scan.yml

diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
new file mode 100644
index 00000000..3f09f38f
--- /dev/null
+++ b/.github/workflows/sbom-scan.yml
@@ -0,0 +1,38 @@
+---
+name: Create & Scan SBOM
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  release:
+    types: [published]
+jobs:
+  create-and-scan-sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: x  # any version
+      - name: Create lockfile
+        run: |
+          pip install poetry
+          poetry lock
+      - name: Create SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: spdx-json
+          output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+      - name: Scan SBOM
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          fail-build: true
+          severity-cutoff: low
+      - name: Upload SBOM scan SARIF report
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}