-
Notifications
You must be signed in to change notification settings - Fork 127
54 lines (45 loc) · 1.53 KB
/
sbom-vulns.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: "Syft & Grype SBOM and Vuln Scan"
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
Anchore-Syft-Grype:
runs-on: ubuntu-latest
steps:
# Checkout le branch
- name: Checkout
uses: actions/checkout@v3
# Build the ElectricEye Docker Image, locally
- name: Build ElectricEye Docker Image
run: docker build . --file Dockerfile --tag localbuild/electriceye:latest
# Generate an CycloneDX JSON SBOM with Syft on the Image
- name: Generate CDX SBOM
uses: anchore/sbom-action@v0
with:
image: localbuild/electriceye:latest
format: cyclonedx-json # the One True SBOM Format
artifact-name: syft-cdx-sbom.json
output-file: syft-cdx-sbom.json
# Print SBOM to stdout
- name: SBOM Printer Goes Brrrr
run: cat "syft-cdx-sbom.json"
# Scan the CDX SBOM with Grype
- name: Grype Scan SBOM
uses: anchore/[email protected]
id: scan
with:
output-format: sarif
sbom: "syft-cdx-sbom.json"
severity-cutoff: critical
fail-build: true
# Print Grype SARIF Report to stdout
- name: View Grype Scan SBOM Report
if: always() # run when build fails too
run: cat "${{ steps.scan.outputs.sarif }}"
# Upload Grype SARIF Report to GitHub Security
- name: Upload Grype Scan SBOM Report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}