From f7c11355a12d56557d47309b7a81abff90d2a2f9 Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Sun, 4 May 2025 22:55:18 -0600 Subject: [PATCH 01/15] Closes #17 by adding a GH Actions workflow --- .github/workflows/supply-chain-security.yaml | 39 ++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/supply-chain-security.yaml diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml new file mode 100644 index 0000000..663ba29 --- /dev/null +++ b/.github/workflows/supply-chain-security.yaml @@ -0,0 +1,39 @@ +name: SBOM Generation and Vulnerability Scanning + +on: + pull_request: + branches: [ main ] + # Allow manual triggering + workflow_dispatch: + +jobs: + sbom-and-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + # Generate SBOM using Anchore Syft + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: ./sbom.json + + # Scan the SBOM for vulnerabilities using Anchore Grype + - name: Scan SBOM for vulnerabilities + uses: anchore/scan-action@v3 + with: + sbom: ./sbom.json + # Set fail-build to true to fail the workflow if critical vulnerabilities are found + fail-build: true + severity-cutoff: critical + # Optional: Output the vulnerability report + output-format: table + + # Archive the SBOM as an artifact + - name: Upload SBOM + uses: actions/upload-artifact@v3 + with: + name: sbom + path: ./sbom.json From adc4227b10e0c93ce9be864b26e15ab413491f65 Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Sun, 4 May 2025 22:57:44 -0600 Subject: [PATCH 02/15] Fixing error in missing action version --- .github/workflows/supply-chain-security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index 663ba29..eab608b 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -33,7 +33,7 @@ jobs: # Archive the SBOM as an artifact - name: Upload SBOM - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: sbom path: ./sbom.json From 797732e5b805bdb4a2bd2f819a50aa2e049c5bbc Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Sun, 4 May 2025 23:04:12 -0600 Subject: [PATCH 03/15] Fixing sbom name generation --- .github/workflows/supply-chain-security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index eab608b..118b14e 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -18,7 +18,7 @@ jobs: uses: anchore/sbom-action@v0 with: format: cyclonedx-json - output-file: ./sbom.json + artifact-name: sbom.json # Scan the SBOM for vulnerabilities using Anchore Grype - name: Scan SBOM for vulnerabilities From 915a5c98dbcfb3eb0c8fcc332519c39bd22bfa2d Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Sun, 4 May 2025 23:05:18 -0600 Subject: [PATCH 04/15] Fixing workflow name typo --- .github/workflows/automerge-dependabot.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/automerge-dependabot.yaml b/.github/workflows/automerge-dependabot.yaml index 85b6d8d..8188388 100644 --- a/.github/workflows/automerge-dependabot.yaml +++ b/.github/workflows/automerge-dependabot.yaml @@ -1,5 +1,5 @@ --- -name: Depedabot auto-merge +name: Dependabot auto-merge on: pull_request jobs: From 57394a60dd37254c13b2beb82edc98826cd08af6 Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Sun, 4 May 2025 23:08:26 -0600 Subject: [PATCH 05/15] Fixing again? --- .github/workflows/supply-chain-security.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index 118b14e..2eaaaf3 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -22,9 +22,9 @@ jobs: # Scan the SBOM for vulnerabilities using Anchore Grype - name: Scan SBOM for vulnerabilities - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v6 with: - sbom: ./sbom.json + sbom: sbom.json # Set fail-build to true to fail the workflow if critical vulnerabilities are found fail-build: true severity-cutoff: critical From cf90f16e048bcfb122e1828c1c3c20c5f95fd5d1 Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Sun, 4 May 2025 23:13:09 -0600 Subject: [PATCH 06/15] Adding SARIF upload --- .github/workflows/supply-chain-security.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index 2eaaaf3..12a57b1 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -22,6 +22,7 @@ jobs: # Scan the SBOM for vulnerabilities using Anchore Grype - name: Scan SBOM for vulnerabilities + id: scan uses: anchore/scan-action@v6 with: sbom: sbom.json @@ -29,7 +30,13 @@ jobs: fail-build: true severity-cutoff: critical # Optional: Output the vulnerability report - output-format: table + output-format: sarif + only-fixed: true + + - name: upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} # Archive the SBOM as an artifact - name: Upload SBOM From bf04d81392f4b279ee070b2f4e9cd24d1e30440a Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Mon, 5 May 2025 16:03:14 -0600 Subject: [PATCH 07/15] Attempting fix --- .github/workflows/supply-chain-security.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index 12a57b1..11b976d 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -19,6 +19,7 @@ jobs: with: format: cyclonedx-json artifact-name: sbom.json + path: . # Scan the SBOM for vulnerabilities using Anchore Grype - name: Scan SBOM for vulnerabilities @@ -27,7 +28,7 @@ jobs: with: sbom: sbom.json # Set fail-build to true to fail the workflow if critical vulnerabilities are found - fail-build: true + fail-build: false severity-cutoff: critical # Optional: Output the vulnerability report output-format: sarif From 91b8b24f0104b2fa82274257e8efe264f7de790c Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Mon, 5 May 2025 16:06:02 -0600 Subject: [PATCH 08/15] Another attempt --- .github/workflows/supply-chain-security.yaml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index 11b976d..a63a5bf 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -34,14 +34,19 @@ jobs: output-format: sarif only-fixed: true - - name: upload Anchore scan SARIF report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} - - # Archive the SBOM as an artifact - name: Upload SBOM uses: actions/upload-artifact@v4 with: name: sbom path: ./sbom.json + + - name: Upload Results + uses: actions/upload-artifact@v4 + with: + name: results.sarif + path: ${{ steps.scan.outputs.sarif }} + +# - name: upload Anchore scan SARIF report +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: ${{ steps.scan.outputs.sarif }} \ No newline at end of file From 1f22dca13cdac9071b31a3faf2b9ecf0e9abd051 Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Mon, 5 May 2025 16:10:52 -0600 Subject: [PATCH 09/15] Another fix --- .github/workflows/supply-chain-security.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index a63a5bf..5596e17 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -37,8 +37,8 @@ jobs: - name: Upload SBOM uses: actions/upload-artifact@v4 with: - name: sbom - path: ./sbom.json + name: sbom.json + path: "${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}" - name: Upload Results uses: actions/upload-artifact@v4 From d9d74008f5a5bf10663bebbd9b5bf11b2182ea3f Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Mon, 5 May 2025 16:13:36 -0600 Subject: [PATCH 10/15] Another fix --- .github/workflows/supply-chain-security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index 5596e17..83bdb7d 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -26,7 +26,7 @@ jobs: id: scan uses: anchore/scan-action@v6 with: - sbom: sbom.json + sbom: "${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}" # Set fail-build to true to fail the workflow if critical vulnerabilities are found fail-build: false severity-cutoff: critical From 3105e338384ee541c9bae51155f1b3cb2ac3ddbe Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Mon, 5 May 2025 16:25:17 -0600 Subject: [PATCH 11/15] Another fix --- .github/workflows/supply-chain-security.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index 83bdb7d..82f1264 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -31,7 +31,7 @@ jobs: fail-build: false severity-cutoff: critical # Optional: Output the vulnerability report - output-format: sarif + output-format: table only-fixed: true - name: Upload SBOM @@ -40,11 +40,11 @@ jobs: name: sbom.json path: "${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}" - - name: Upload Results - uses: actions/upload-artifact@v4 - with: - name: results.sarif - path: ${{ steps.scan.outputs.sarif }} + # - name: Upload Results + # uses: actions/upload-artifact@v4 + # with: + # name: results.sarif + # path: ${{ steps.scan.outputs.sarif }} # - name: upload Anchore scan SARIF report # uses: github/codeql-action/upload-sarif@v3 From a862b51e5d78298f09b92e703264b4fcc8b12ced Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Mon, 5 May 2025 16:31:20 -0600 Subject: [PATCH 12/15] Another fix --- .github/workflows/supply-chain-security.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index 82f1264..94daefa 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -20,6 +20,7 @@ jobs: format: cyclonedx-json artifact-name: sbom.json path: . + output-file: . # Scan the SBOM for vulnerabilities using Anchore Grype - name: Scan SBOM for vulnerabilities From 0341c9578b0319884710717e6e96bfbd55ba45a4 Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Mon, 5 May 2025 16:32:36 -0600 Subject: [PATCH 13/15] Another fix --- .github/workflows/supply-chain-security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index 94daefa..e4184f6 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -20,7 +20,7 @@ jobs: format: cyclonedx-json artifact-name: sbom.json path: . - output-file: . + output-file: sbom.json # Scan the SBOM for vulnerabilities using Anchore Grype - name: Scan SBOM for vulnerabilities From 55dd70ad1e0fa2959472df59c6c16590806b7436 Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Mon, 5 May 2025 16:34:54 -0600 Subject: [PATCH 14/15] Another fix --- .github/workflows/supply-chain-security.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index e4184f6..f59d18d 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -32,20 +32,20 @@ jobs: fail-build: false severity-cutoff: critical # Optional: Output the vulnerability report - output-format: table + output-format: sarif only-fixed: true - - name: Upload SBOM - uses: actions/upload-artifact@v4 - with: - name: sbom.json - path: "${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}" - - # - name: Upload Results + # - name: Upload SBOM # uses: actions/upload-artifact@v4 # with: - # name: results.sarif - # path: ${{ steps.scan.outputs.sarif }} + # name: sbom.json + # path: "${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}" + + - name: Upload Results + uses: actions/upload-artifact@v4 + with: + name: results.sarif + path: ${{ steps.scan.outputs.sarif }} # - name: upload Anchore scan SARIF report # uses: github/codeql-action/upload-sarif@v3 From 1fbdd55bdd78da4eabc205af3a2f2b15935e04c9 Mon Sep 17 00:00:00 2001 From: Scott Brown Date: Mon, 5 May 2025 16:38:50 -0600 Subject: [PATCH 15/15] Adding working copy --- .github/workflows/supply-chain-security.yaml | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml index f59d18d..bdb8708 100644 --- a/.github/workflows/supply-chain-security.yaml +++ b/.github/workflows/supply-chain-security.yaml @@ -3,7 +3,6 @@ name: SBOM Generation and Vulnerability Scanning on: pull_request: branches: [ main ] - # Allow manual triggering workflow_dispatch: jobs: @@ -28,26 +27,18 @@ jobs: uses: anchore/scan-action@v6 with: sbom: "${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}" - # Set fail-build to true to fail the workflow if critical vulnerabilities are found - fail-build: false + fail-build: true severity-cutoff: critical - # Optional: Output the vulnerability report output-format: sarif only-fixed: true - # - name: Upload SBOM - # uses: actions/upload-artifact@v4 - # with: - # name: sbom.json - # path: "${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}" - - name: Upload Results uses: actions/upload-artifact@v4 with: name: results.sarif path: ${{ steps.scan.outputs.sarif }} -# - name: upload Anchore scan SARIF report -# uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: ${{ steps.scan.outputs.sarif }} \ No newline at end of file + - name: upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} \ No newline at end of file