Skip to content

SBOM upload & scan #5118

SBOM upload & scan

SBOM upload & scan #5118

Workflow file for this run

name: SBOM upload & scan
on:
workflow_dispatch:
release:
types: [published]
schedule:
- cron: '0 */1 * * *'
jobs:
SBOM-upload:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
security-events: write
steps:
- name: Generate SBOM using Trivy from image
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: ghcr.io/cloudfoundry/ubuntu-jammy-stemcell
format: spdx-json
output: sbom.spdx.json
- name: Run Trivy vulnerability scanner [fix available]
uses: aquasecurity/trivy-action@master
with:
scan-type: sbom
scan-ref: sbom.spdx.json
ignore-unfixed: true
format: sarif
output: trivy-results-with-fix.sarif
- name: Run Trivy vulnerability scanner [all]
uses: aquasecurity/trivy-action@master
with:
scan-type: sbom
scan-ref: sbom.spdx.json
format: sarif
output: trivy-results-all.sarif
- name: Fix SARIF file physicalLocations
run: |
for n in all with-fix; do
jq '.runs = (.runs | map(.results = (.results |
map(.locations = (.locations | map(.physicalLocation.artifactLocation = {uri: "/sbom.spdx.json"}))))))' \
trivy-results-${n}.sarif > tmp.sarif
mv tmp.sarif trivy-results-${n}.sarif
done
- uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.spdx.json
- name: SBOM upload
uses: advanced-security/[email protected]
- name: Upload Trivy scan results to GitHub Security tab [all]
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-all.sarif'
category: all
- name: Upload Trivy scan results to GitHub Security tab [fix-available]
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-with-fix.sarif'
category: fix-available