Merge pull request #59 from udx/UAT-47

SBOM Generation and Release Enhancements [UAT-47]

.github/workflows/build-and-test.yml

@@ -37,7 +37,7 @@ jobs:
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \
             sudo sh -s -- -b /usr/local/bin
 
-      - name: Trivy Scanning
+      - name: Trivy Vulnerability Scanning
         run: |
           export TRIVY_DISABLE_VEX_NOTICE=true
 
@@ -80,3 +80,22 @@ jobs:
             echo "Failed to complete Trivy scan after $max_retries attempts."
             exit 1
           fi
+
+      - name: Trivy SBOM Generation
+        run: |
+          # Suppress verbose notices and informational messages
+          export TRIVY_DISABLE_VEX_NOTICE=true
+          trivy image --format spdx-json --output sbom.json udx-worker/udx-worker:latest 2>/dev/null
+
+          echo "SBOM Top Packages Summary:"
+          echo "| Package Name      | Version   |"
+          echo "|-------------------|-----------|"
+
+          # Use jq to extract name and versionInfo, excluding packages with null versions, and pipe to column for formatting
+          jq -r '.packages[] | select(.versionInfo != null) | "\(.name) | \(.versionInfo)"' sbom.json | sort | uniq | head -n 20 | column -t -s '|'
+
+      - name: Upload SBOM Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json

.github/workflows/release.yml

@@ -62,6 +62,19 @@ jobs:
           tags: |
             usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }}
 
+      - name: Generate SBOM
+        run: |
+          export TRIVY_DISABLE_VEX_NOTICE=true
+          trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }} 2>/dev/null
+        # Save SBOM for later upload
+        id: generate-sbom
+
+      - name: Upload SBOM Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json
+
       - name: Generate changelog
         id: changelog
         run: |
@@ -95,13 +108,19 @@ jobs:
           git tag ${{ needs.test-pipeline.outputs.semVer }}
           git push origin ${{ needs.test-pipeline.outputs.semVer }}
 
+      - name: Download SBOM Artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: sbom
+
       - name: Create GitHub release
         uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ needs.test-pipeline.outputs.semVer }}
           body: ${{ needs.test-pipeline.outputs.changelog }}
           draft: false
           prerelease: false
+          files: sbom.json
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
 
@@ -145,5 +164,23 @@ jobs:
             usabilitydynamics/udx-worker:${{ needs.test-pipeline.outputs.semVer }}
             usabilitydynamics/udx-worker:latest
 
+      - name: Download SBOM Artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: sbom
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Sign SBOM with Cosign
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: |
+          cosign attest \
+            --key env://COSIGN_PRIVATE_KEY \
+            --type sbom \
+            --predicate sbom.json \
+            usabilitydynamics/udx-worker:${{ needs.test-pipeline.outputs.semVer }}
+
       - name: Log out from Docker Hub
         run: docker logout

ci/git-version.yml

@@ -1,9 +1,10 @@
 ---
-mode: ContinuousDeployment
+mode: Mainline
 
 branches:
   latest:
     regex: ^latest$
+    tag: ''
     increment: Minor
     source-branches: []
 

ci/pub.keys/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhwPdudrplq/mmIHX6UkTpCJyabn4
+XSbcX5GnT8PXVW/3f7mUTOIYtQK/Rk39VlgivOf0Zq8+2LWmuOp5BAelRw==
+-----END PUBLIC KEY-----