Add SBOM scan workflow (#3)

* feat: Add a reusable SBOM scan workflow

* ci: Update usage of local reusable workflows and actions

.github/workflows/_reusable-sbom-scan.yml

@@ -0,0 +1,48 @@
+---
+name: Create & Scan SBOM
+on:
+  workflow_call:
+jobs:
+  create-and-scan-sbom:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: write
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: x  # any version
+      - name: Create lockfile
+        run: |
+          pip install poetry
+          poetry lock
+      - name: Create SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: spdx-json
+          output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+      - uses: actions/attest-build-provenance@v1
+        if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }}
+        with:
+          subject-path: ${{ github.event.repository.name }}-sbom.spdx.json
+      - name: Scan SBOM
+        uses: anchore/scan-action@v4
+        id: scan
+        with:
+          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          fail-build: true
+          severity-cutoff: low
+      - name: Upload SBOM scan SARIF report as a workflow artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sarif_artifact
+          path: ${{ steps.scan.outputs.sarif }}
+          if-no-files-found: error
+      - name: Upload SBOM scan SARIF report to GitHub UI Security tab
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/codeql-analysis.yml

@@ -21,7 +21,7 @@ jobs:
         language: [python, javascript]
     steps:
       - name: Run CodeQL Analysis
-        uses: tektronix/python-package-ci-cd/actions/codeql-analysis@main
+        uses: ./actions/codeql-analysis
         with:
           language: ${{ matrix.language }}
           codeql-queries: security-extended,security-and-quality

.github/workflows/enforce-community-standards.yml

@@ -7,4 +7,4 @@ on:
     branches: [main]
 jobs:
   enforce-community-standards:
-    uses: tektronix/python-package-ci-cd/.github/workflows/reusable-enforce-community-standards.yml@main
+    uses: ./.github/workflows/_reusable-enforce-community-standards.yml

.github/workflows/sbom-scan.yml

@@ -0,0 +1,17 @@
+---
+name: Create & Scan SBOM
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  release:
+    types: [published]
+jobs:
+  sbom-scan:
+    uses: ./.github/workflows/_reusable-sbom-scan.yml
+    permissions:
+      security-events: write
+      contents: write
+      id-token: write
+      attestations: write

README.md

@@ -23,6 +23,10 @@ Python Packaging CI/CD.
 - [`enforce-community-standards.yml`](./workflows/enforce-community-standards.md)
     - This workflow will ensure that all necessary files are in place in order to meet the
         Open Source Community Standards for a repository.
+- [`sbom-scan.yml`](./workflows/sbom-scan.md)
+    - This workflow will create a Software Bill of Materials (SBOM) for the repository using the
+        [`anchore/sbom-action`](https://github.com/anchore/sbom-action) Action and then scan the
+        SBOM using the [`anchore/scan-action`](https://github.com/anchore/scan-action) Action.
 
 ## Maintainers
 

workflows/check-api-for-breaking-changes.md

@@ -23,7 +23,7 @@ on:
 jobs:
   check-api-for-breaking-changes:
     uses:
-      tektronix/python-package-ci-cd/.github/workflows/reusable-check-api-for-breaking-changes.yml@main  # it is recommended to use the latest release tag instead of `main`
+      tektronix/python-package-ci-cd/.github/workflows/_reusable-check-api-for-breaking-changes.yml@main  # it is recommended to use the latest release tag instead of `main`
     with:
       package-name: my_package_name  # required
 ```

workflows/enforce-community-standards.md

@@ -32,5 +32,5 @@ on:
     branches: [main]
 jobs:
   enforce-community-standards:
-    uses: tektronix/python-package-ci-cd/.github/workflows/reusable-enforce-community-standards.yml@main  # it is recommended to use the latest release tag instead of `main`
+    uses: tektronix/python-package-ci-cd/.github/workflows/_reusable-enforce-community-standards.yml@main  # it is recommended to use the latest release tag instead of `main`
 ```

workflows/sbom-scan.md

@@ -0,0 +1,31 @@
+# sbom-scan.yml
+
+This workflow will create a Software Bill of Materials (SBOM) for the repository using the
+[`anchore/sbom-action`](https://github.com/anchore/sbom-action) Action and then scan the SBOM
+using the [`anchore/scan-action`](https://github.com/anchore/scan-action) Action.
+
+In order to use this workflow, the Python package must be using the
+[Poetry package manager](https://python-poetry.org/). When calling the reusable workflow, the
+following permissions must be set to `write`: `security-events`, `contents`, `id-token`, and
+`attestations`.
+
+## Example
+
+```yaml
+name: Create & Scan SBOM
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  release:
+    types: [published]
+jobs:
+  sbom-scan:
+    uses: tektronix/python-package-ci-cd/.github/workflows/_reusable-sbom-scan.yml@main  # it is recommended to use the latest release tag instead of `main`
+    permissions:
+      security-events: write
+      contents: write
+      id-token: write
+      attestations: write
+```