Skip to content

Add security and supply chain workflows (SBOM, Scorecard, Trivy) #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
peatey wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add security and supply chain workflows (SBOM, Scorecard, Trivy) #171

peatey wants to merge 2 commits into from
+350 −0

Conversation

@peatey
Copy link
Contributor

@peatey peatey commented Jan 27, 2026

What does this PR change?

  • Adds three new GitHub Actions workflows for enhanced security and supply chain transparency:
    • SBOM Generation (sbom.yml): Generates Software Bill of Materials in SPDX and CycloneDX formats for both source code and container images using Trivy
    • OpenSSF Scorecard (scorecard.yml): Runs supply-chain security analysis and publishes results to the OpenSSF dashboard
    • Trivy Vulnerability Scanner (vulnerability-scan.yaml): Scans for CRITICAL and HIGH severity vulnerabilities in dependencies and OS packages

Does this PR relate to any other PRs?

  • No

How will this PR impact users?

  • Improved Security Transparency: Users can now access SBOMs attached to releases, providing complete visibility into dependencies
  • Vulnerability Detection: Automated scanning prevents merging code with known critical/high vulnerabilities
  • Supply Chain Security: OpenSSF Scorecard provides security posture metrics and best practices compliance
  • No Breaking Changes: These are non-blocking workflows that enhance security without affecting existing functionality

Does this PR address any GitHub or Zendesk issues?

  • No specific issues referenced

How was this PR tested?

  • Workflows are configured with appropriate triggers (PR, push, workflow_run, manual dispatch)
  • SBOM generation tested on both source code and container images
  • Vulnerability scanning configured to fail on CRITICAL/HIGH severity findings
  • Scorecard configured to publish results to OpenSSF dashboard

Does this PR require changes to documentation?

  • Yes - should document:
    • How to access SBOMs from releases
    • How to interpret Scorecard results
    • How vulnerability scanning affects CI/CD pipeline

Have you labeled this PR and its corresponding Issue as "next release" if it should be part of the next OpenCost release? If not, why not?

  • N/A - This is an infrastructure/DevOps change that doesn't affect the product release itself, though it should be included in the next release cycle for security benefits

https://claude.ai/code/session_01UmnP1gmTkjmFD6w7HgDCoS

@claude
Add SBOM management and security scanning workflows
77d8c43 
This mirrors the SBOM functionality from the main opencost repo, adapted
for the UI repository:

- sbom.yml: Generates Software Bill of Materials in SPDX and CycloneDX
  formats for both source code and container images, triggered on
  releases, manual dispatch, and PRs to main
- vulnerability-scan.yaml: Runs Trivy security scans on PRs and pushes
  to main, uploading results to GitHub Security tab
- scorecard.yml: OpenSSF Scorecard supply-chain security analysis

Key adaptations for UI repo:
- Changed branch targets from 'develop' to 'main'
- Updated artifact names to 'opencost-ui-*' prefix
- Container image references updated to opencost-ui

https://claude.ai/code/session_01UmnP1gmTkjmFD6w7HgDCoS
@netlify
Copy link

netlify bot commented Jan 27, 2026
edited
Loading

Deploy Preview for opencost-ui ready!

Name Link
🔨 Latest commit 5ed835b
🔍 Latest deploy log https://app.netlify.com/projects/opencost-ui/deploys/69793fea94050a0008972542
😎 Deploy Preview https://deploy-preview-171--opencost-ui.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-advanced-security
Copy link

github-advanced-security bot commented Jan 27, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-follow-up

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@peatey @claude