From 62909598eac9a33a1832fb93edcffaafda80a356 Mon Sep 17 00:00:00 2001 From: Nicholas Felt Date: Thu, 15 Aug 2024 16:45:31 -0700 Subject: [PATCH] Add SBOM scan workflow (#3) * feat: Add a reusable SBOM scan workflow * ci: Update usage of local reusable workflows and actions --- ...usable-check-api-for-breaking-changes.yml} | 0 ..._reusable-enforce-community-standards.yml} | 0 .github/workflows/_reusable-sbom-scan.yml | 48 +++++++++++++++++++ .github/workflows/codeql-analysis.yml | 2 +- .../workflows/enforce-community-standards.yml | 2 +- .github/workflows/sbom-scan.yml | 17 +++++++ README.md | 4 ++ workflows/check-api-for-breaking-changes.md | 2 +- workflows/enforce-community-standards.md | 2 +- workflows/sbom-scan.md | 31 ++++++++++++ 10 files changed, 104 insertions(+), 4 deletions(-) rename .github/workflows/{reusable-check-api-for-breaking-changes.yml => _reusable-check-api-for-breaking-changes.yml} (100%) rename .github/workflows/{reusable-enforce-community-standards.yml => _reusable-enforce-community-standards.yml} (100%) create mode 100644 .github/workflows/_reusable-sbom-scan.yml create mode 100644 .github/workflows/sbom-scan.yml create mode 100644 workflows/sbom-scan.md diff --git a/.github/workflows/reusable-check-api-for-breaking-changes.yml b/.github/workflows/_reusable-check-api-for-breaking-changes.yml similarity index 100% rename from .github/workflows/reusable-check-api-for-breaking-changes.yml rename to .github/workflows/_reusable-check-api-for-breaking-changes.yml diff --git a/.github/workflows/reusable-enforce-community-standards.yml b/.github/workflows/_reusable-enforce-community-standards.yml similarity index 100% rename from .github/workflows/reusable-enforce-community-standards.yml rename to .github/workflows/_reusable-enforce-community-standards.yml diff --git a/.github/workflows/_reusable-sbom-scan.yml b/.github/workflows/_reusable-sbom-scan.yml new file mode 100644 index 00000000..6b7df4e6 --- /dev/null +++ b/.github/workflows/_reusable-sbom-scan.yml @@ -0,0 +1,48 @@ +--- +name: Create & Scan SBOM +on: + workflow_call: +jobs: + create-and-scan-sbom: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: write + id-token: write + attestations: write + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: x # any version + - name: Create lockfile + run: | + pip install poetry + poetry lock + - name: Create SBOM + uses: anchore/sbom-action@v0 + with: + format: spdx-json + output-file: ${{ github.event.repository.name }}-sbom.spdx.json + - uses: actions/attest-build-provenance@v1 + if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }} + with: + subject-path: ${{ github.event.repository.name }}-sbom.spdx.json + - name: Scan SBOM + uses: anchore/scan-action@v4 + id: scan + with: + sbom: ${{ github.event.repository.name }}-sbom.spdx.json + fail-build: true + severity-cutoff: low + - name: Upload SBOM scan SARIF report as a workflow artifact + uses: actions/upload-artifact@v4 + with: + name: sarif_artifact + path: ${{ steps.scan.outputs.sarif }} + if-no-files-found: error + - name: Upload SBOM scan SARIF report to GitHub UI Security tab + if: ${{ github.event_name != 'pull_request' }} + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d17b9b8c..f2ae6ebc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,7 +21,7 @@ jobs: language: [python, javascript] steps: - name: Run CodeQL Analysis - uses: tektronix/python-package-ci-cd/actions/codeql-analysis@main + uses: ./actions/codeql-analysis with: language: ${{ matrix.language }} codeql-queries: security-extended,security-and-quality diff --git a/.github/workflows/enforce-community-standards.yml b/.github/workflows/enforce-community-standards.yml index 9438121a..942819a2 100644 --- a/.github/workflows/enforce-community-standards.yml +++ b/.github/workflows/enforce-community-standards.yml @@ -7,4 +7,4 @@ on: branches: [main] jobs: enforce-community-standards: - uses: tektronix/python-package-ci-cd/.github/workflows/reusable-enforce-community-standards.yml@main + uses: ./.github/workflows/_reusable-enforce-community-standards.yml diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml new file mode 100644 index 00000000..11535713 --- /dev/null +++ b/.github/workflows/sbom-scan.yml @@ -0,0 +1,17 @@ +--- +name: Create & Scan SBOM +on: + push: + branches: [main] + pull_request: + branches: [main] + release: + types: [published] +jobs: + sbom-scan: + uses: ./.github/workflows/_reusable-sbom-scan.yml + permissions: + security-events: write + contents: write + id-token: write + attestations: write diff --git a/README.md b/README.md index 7c5e5642..74283a99 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,10 @@ Python Packaging CI/CD. - [`enforce-community-standards.yml`](./workflows/enforce-community-standards.md) - This workflow will ensure that all necessary files are in place in order to meet the Open Source Community Standards for a repository. +- [`sbom-scan.yml`](./workflows/sbom-scan.md) + - This workflow will create a Software Bill of Materials (SBOM) for the repository using the + [`anchore/sbom-action`](https://github.com/anchore/sbom-action) Action and then scan the + SBOM using the [`anchore/scan-action`](https://github.com/anchore/scan-action) Action. ## Maintainers diff --git a/workflows/check-api-for-breaking-changes.md b/workflows/check-api-for-breaking-changes.md index ccdb88ec..1e2431b9 100644 --- a/workflows/check-api-for-breaking-changes.md +++ b/workflows/check-api-for-breaking-changes.md @@ -23,7 +23,7 @@ on: jobs: check-api-for-breaking-changes: uses: - tektronix/python-package-ci-cd/.github/workflows/reusable-check-api-for-breaking-changes.yml@main # it is recommended to use the latest release tag instead of `main` + tektronix/python-package-ci-cd/.github/workflows/_reusable-check-api-for-breaking-changes.yml@main # it is recommended to use the latest release tag instead of `main` with: package-name: my_package_name # required ``` diff --git a/workflows/enforce-community-standards.md b/workflows/enforce-community-standards.md index 5e25f44f..11cecbf5 100644 --- a/workflows/enforce-community-standards.md +++ b/workflows/enforce-community-standards.md @@ -32,5 +32,5 @@ on: branches: [main] jobs: enforce-community-standards: - uses: tektronix/python-package-ci-cd/.github/workflows/reusable-enforce-community-standards.yml@main # it is recommended to use the latest release tag instead of `main` + uses: tektronix/python-package-ci-cd/.github/workflows/_reusable-enforce-community-standards.yml@main # it is recommended to use the latest release tag instead of `main` ``` diff --git a/workflows/sbom-scan.md b/workflows/sbom-scan.md new file mode 100644 index 00000000..19ef5e96 --- /dev/null +++ b/workflows/sbom-scan.md @@ -0,0 +1,31 @@ +# sbom-scan.yml + +This workflow will create a Software Bill of Materials (SBOM) for the repository using the +[`anchore/sbom-action`](https://github.com/anchore/sbom-action) Action and then scan the SBOM +using the [`anchore/scan-action`](https://github.com/anchore/scan-action) Action. + +In order to use this workflow, the Python package must be using the +[Poetry package manager](https://python-poetry.org/). When calling the reusable workflow, the +following permissions must be set to `write`: `security-events`, `contents`, `id-token`, and +`attestations`. + +## Example + +```yaml +name: Create & Scan SBOM +on: + push: + branches: [main] + pull_request: + branches: [main] + release: + types: [published] +jobs: + sbom-scan: + uses: tektronix/python-package-ci-cd/.github/workflows/_reusable-sbom-scan.yml@main # it is recommended to use the latest release tag instead of `main` + permissions: + security-events: write + contents: write + id-token: write + attestations: write +```