scottbrown · scottbrown · May 5, 2025 · May 5, 2025 · May 5, 2025 · May 5, 2025
diff --git a/.github/workflows/automerge-dependabot.yaml b/.github/workflows/automerge-dependabot.yaml
@@ -1,5 +1,5 @@
 ---
-name: Depedabot auto-merge
+name: Dependabot auto-merge
 on: pull_request
 
 jobs:

diff --git a/.github/workflows/supply-chain-security.yaml b/.github/workflows/supply-chain-security.yaml
@@ -0,0 +1,44 @@
+name: SBOM Generation and Vulnerability Scanning
+
+on:
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  sbom-and-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      # Generate SBOM using Anchore Syft
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: cyclonedx-json
+          artifact-name: sbom.json
+          path: .
+          output-file: sbom.json
+
+      # Scan the SBOM for vulnerabilities using Anchore Grype
+      - name: Scan SBOM for vulnerabilities
+        id: scan
+        uses: anchore/scan-action@v6
+        with:
+          sbom: "${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}"
+          fail-build: true
+          severity-cutoff: critical
+          output-format: sarif
+          only-fixed: true
+
+      - name: Upload Results
+        uses: actions/upload-artifact@v4
+        with:
+          name: results.sarif
+          path: ${{ steps.scan.outputs.sarif }}
+
+      - name: upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}