From 92121e02d1551822e9d0fc1760493c6e561f5278 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 10:32:05 +0200 Subject: [PATCH 1/4] Create SBOM files (#173) * CI sbom implementation * uncomment build-binaries job * run sbom on self-hosted workers * use shogo82148/actions-upload-release-asset upload action --- .github/workflows/release.yml | 6 ++++ .github/workflows/sbom.yml | 54 +++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a103012f..e744b49b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,6 +52,12 @@ jobs: draft: true generate_release_notes: true + create-sbom: + needs: [create-release, build-docker-release] + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + build-binaries: needs: [create-release] runs-on: diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 00000000..0a8b8c81 --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,54 @@ +name: Create SBOM files + +on: + workflow_call: + inputs: + upload_url: + description: "Release assets upload URL" + required: true + type: string + +jobs: + create-sbom: + runs-on: self-hosted + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Create SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + format: 'spdx-json' + output: "defguard-proxy-${{ env.VERSION }}.sbom.json" + scan-ref: '.' + severity: "CRITICAL,HIGH,MEDIUM" + + - name: Create docker image SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + image-ref: "ghcr.io/defguard/defguard-proxy:${{ env.VERSION }}" + scan-type: 'image' + format: 'spdx-json' + output: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json" + severity: "CRITICAL,HIGH,MEDIUM" + scanners: "vuln" + + - name: Upload SBOM + uses: shogo82148/actions-upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ inputs.upload_url }} + asset_path: "defguard-*.sbom.json" + asset_content_type: application/octet-stream From 18015f4cd2570cf591cf579b675d0405352a2d81 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 14:11:40 +0200 Subject: [PATCH 2/4] CI: scan code with trivy (#174) * CI: scan code with trivy * bump trivy action version * include low severity vulns in sbom --- .github/workflows/build-docker.yml | 2 +- .github/workflows/sbom.yml | 5 +++-- .github/workflows/test.yml | 9 +++++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 55350776..a10ebc14 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -69,7 +69,7 @@ jobs: cache-to: type=gha,mode=max - name: Scan image with Trivy - uses: aquasecurity/trivy-action@0.32.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}" format: "table" diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 0a8b8c81..1cc30e9f 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -32,7 +32,8 @@ jobs: format: 'spdx-json' output: "defguard-proxy-${{ env.VERSION }}.sbom.json" scan-ref: '.' - severity: "CRITICAL,HIGH,MEDIUM" + severity: "CRITICAL,HIGH,MEDIUM,LOW" + scanners: "vuln" - name: Create docker image SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 @@ -41,7 +42,7 @@ jobs: scan-type: 'image' format: 'spdx-json' output: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json" - severity: "CRITICAL,HIGH,MEDIUM" + severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - name: Upload SBOM diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fc24763b..ad533e66 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -34,6 +34,15 @@ jobs: uses: actions/checkout@v4 with: submodules: recursive + - name: Scan code with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + scan-ref: '.' + exit-code: "1" + ignore-unfixed: true + severity: "CRITICAL,HIGH,MEDIUM" + scanners: "vuln" - name: Cache uses: Swatinem/rust-cache@v2 - name: Install protoc From 9466eb9b0d5b613d6f3f4ccfe6733bef4e5538e4 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Mon, 29 Sep 2025 15:47:26 +0200 Subject: [PATCH 3/4] Periodic sbom regeneration (#176) * periodic sbom and advisories regeneration * fix advisories upload * remove branch push trigger --- .github/workflows/sbom-regenerate.yml | 35 +++++++++++++++++ .github/workflows/sbom.yml | 54 ++++++++++++++++++++------- 2 files changed, 76 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/sbom-regenerate.yml diff --git a/.github/workflows/sbom-regenerate.yml b/.github/workflows/sbom-regenerate.yml new file mode 100644 index 00000000..d3c7522c --- /dev/null +++ b/.github/workflows/sbom-regenerate.yml @@ -0,0 +1,35 @@ +name: Periodic SBOM Regeneration + +on: + schedule: + - cron: '30 2 * * *' # 2:30 AM UTC + +jobs: + list-releases: + name: List releases + runs-on: ubuntu-latest + outputs: + releases: ${{ steps.get-releases.outputs.releases }} + steps: + - name: Get list of releases + id: get-releases + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + RELEASES_JSON=$(gh api repos/${{ github.repository }}/releases \ + --jq '[.[] | select(.draft == false) | {tagName: .tag_name, uploadUrl: .upload_url}][:1]') + echo "releases=$RELEASES_JSON" >> $GITHUB_OUTPUT + regenerate-for-release: + name: Regenerate SBOM for release + needs: list-releases + # Don't run if no releases were found. + if: needs.list-releases.outputs.releases != '[]' + strategy: + fail-fast: false + matrix: + release: ${{ fromJson(needs.list-releases.outputs.releases) }} + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ matrix.release.uploadUrl }} + tag: ${{ matrix.release.tagName }} + secrets: inherit diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 1cc30e9f..38d0bd5c 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -7,30 +7,37 @@ on: description: "Release assets upload URL" required: true type: string + tag: + description: "The git tag to generate SBOM for - used in scheduled runs" + required: false + type: string jobs: create-sbom: - runs-on: self-hosted + runs-on: [self-hosted, Linux, X64] steps: + - name: Determine release tag and version + id: vars + # Uses inputs.tag for scheduled runs, otherwise github.ref_name. + run: | + TAG_NAME=${{ inputs.tag || github.ref_name }} + VERSION=${TAG_NAME#v} + echo "TAG_NAME=$TAG_NAME" >> $GITHUB_OUTPUT + echo "VERSION=$VERSION" >> $GITHUB_OUTPUT + - name: Checkout uses: actions/checkout@v4 with: + ref: ${{ steps.vars.outputs.TAG_NAME }} submodules: recursive - # Store the version, stripping any v-prefix - - name: Write release version - run: | - VERSION=${GITHUB_REF_NAME#v} - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - name: Create SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' format: 'spdx-json' - output: "defguard-proxy-${{ env.VERSION }}.sbom.json" + output: "defguard-proxy-${{ steps.vars.outputs.VERSION }}.sbom.json" scan-ref: '.' severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" @@ -38,18 +45,39 @@ jobs: - name: Create docker image SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 with: - image-ref: "ghcr.io/defguard/defguard-proxy:${{ env.VERSION }}" + image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}" scan-type: 'image' format: 'spdx-json' - output: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json" + output: "defguard-proxy-${{ steps.vars.outputs.VERSION }}-docker.sbom.json" + severity: "CRITICAL,HIGH,MEDIUM,LOW" + scanners: "vuln" + + - name: Create security advisory file with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + format: 'json' + output: "defguard-proxy-${{ steps.vars.outputs.VERSION }}.advisories.json" + scan-ref: '.' + severity: "CRITICAL,HIGH,MEDIUM,LOW" + scanners: "vuln" + + - name: Create docker image security advisory file with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}" + scan-type: 'image' + format: 'json' + output: "defguard-proxy-${{ steps.vars.outputs.VERSION }}-docker.advisories.json" severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - - name: Upload SBOM + - name: Upload SBOMs and advisories uses: shogo82148/actions-upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: "defguard-*.sbom.json" + asset_path: "defguard-*.json" asset_content_type: application/octet-stream + overwrite: true From 57e898e60de87c33df21fa9e6b6588badf4fd195 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 30 Sep 2025 09:46:17 +0200 Subject: [PATCH 4/4] only generate sbom for full releases --- .github/workflows/sbom-regenerate.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom-regenerate.yml b/.github/workflows/sbom-regenerate.yml index d3c7522c..3ecb2e6e 100644 --- a/.github/workflows/sbom-regenerate.yml +++ b/.github/workflows/sbom-regenerate.yml @@ -17,7 +17,9 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | RELEASES_JSON=$(gh api repos/${{ github.repository }}/releases \ - --jq '[.[] | select(.draft == false) | {tagName: .tag_name, uploadUrl: .upload_url}][:1]') + --jq '[.[] + | select(.draft == false and (.tag_name | test("^v[0-9]+\\.[0-9]+\\.[0-9]+$"))) + | {tagName: .tag_name, uploadUrl: .upload_url}][:1]') echo "releases=$RELEASES_JSON" >> $GITHUB_OUTPUT regenerate-for-release: name: Regenerate SBOM for release