more tweaking

shellz-n-stuff · Jun 23, 2024 · 19e0070 · 19e0070
1 parent b99371f
commit 19e0070
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/.github/workflows/build_and_publish.yaml b/.github/workflows/build_and_publish.yaml
@@ -36,6 +36,10 @@ jobs:
         distribution: 'zulu'
         java-version: '17'
         cache: 'gradle'
+
+    - name: Install Syft
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 
     - name: Login to GitHub Container Registry
       uses: docker/login-action@v3
@@ -56,15 +60,15 @@ jobs:
     - name: Get Image Digest
       id: image-digest
       run: |
-        DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' {{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }})
+        DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }})
         echo "DIGEST=${DIGEST}" >> $GITHUB_ENV
 
     - name: Sign Docker Image with Cosign
       env:
         COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       run: |
          cosign sign --yes --key <(echo "${{ secrets.COSIGN_PRIVATE_KEY }}") ${{ env.DIGEST }}
-      
+
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/[email protected]
       with:
@@ -80,3 +84,6 @@ jobs:
       uses: github/codeql-action/upload-sarif@v2
       with:
         sarif_file: 'trivy-results.sarif'
+
+    - name: Generate SBOM
+      run: syft ghcr.io/shellz-n-stuff/slsa-spring-demo:${{ env.COMMIT_SHA }} -o json > sbom.json