Skip to content

Commit

Permalink
generate SBOM (#16)
Browse files Browse the repository at this point in the history
* generate SBOM

* update SBOM

* update SBOM

* generate cyclonedx also

* temp

* disable fail fast

* new SBOM

* add ignores

* Revert "temp"

This reverts commit fc77d58.

* adapt exclusions

* Update .github/workflows/build-base-images.yml

Co-authored-by: dennismeister93 <[email protected]>

* add env for ubuntu version

* Revert "add env for ubuntu version"

This reverts commit 0c82b8f.

* update SBOM

* update names and workflow

* update licenses

* use syft directly

* update steps

* add output

* fix check

* checkout pr-branch

* Updated SBOM

* hopefully final changes

* Revert "checkout pr-branch"

This reverts commit 0082665.

* update SBOM

* update pre-commit and branch

* remove last piece of matrix

* always push

* temp

* fix

* Updated SBOM

* Revert "temp"

This reverts commit a36bda3.

* remove outdated comment

* Updated SBOM

---------

Co-authored-by: dennismeister93 <[email protected]>
  • Loading branch information
MP91 and dennismeister93 authored Feb 20, 2023
1 parent 4e3eb7f commit bc64c59
Show file tree
Hide file tree
Showing 7 changed files with 854,571 additions and 2 deletions.
54 changes: 53 additions & 1 deletion .github/workflows/build-base-images.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,9 @@ jobs:
language: [python, cpp]

name: "Building image"
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.get-tag.outputs.tag }}
runs-on: ubuntu-22.04

steps:
- name: Checkout repository
Expand Down Expand Up @@ -76,3 +78,53 @@ jobs:
push: always
platform: linux/amd64,linux/arm64
subFolder: ./Dockerfiles/${{ matrix.language }}/

generate-sbom:
name: Generate SBOM
runs-on: ubuntu-22.04
needs: [build-image]
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ github.head_ref }}

- name: Install Syft
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

- name: Generate SBOM
run: |
syft -o spdx-json=SBOM/python.spdx.json -o cyclonedx-json=SBOM/python.cyclonedx.json ghcr.io/${{ github.repository }}/python:${{ needs.build-image.outputs.tag }}
syft -o spdx-json=SBOM/cpp.spdx.json -o cyclonedx-json=SBOM/cpp.cyclonedx.json ghcr.io/${{ github.repository }}/cpp:${{ needs.build-image.outputs.tag }}
- name: Upload SBOM as artifact
uses: actions/upload-artifact@v3
with:
name: SBOM
path: |
SBOM/*.json
- name: Check if SBOM changed
id: check-sbom
run: |
if [[ -n $(git diff -w -I'^.*SPDXID' -I'^.*ghcr.io/${{ github.repository }}' \
-I'^.*created' -I'^.*spdxElementId' -I'^.*relatedSpdxElement' -I'^.*comment' -I'^.*version": "sha256' \
-I'^.*serialNumber' -I'^.*timestamp' -I'^.*"value": "sha256:' -I'^.*bom-ref') ]]; then
echo "SBOM changed"
echo "SBOM_CHANGED=true" >> $GITHUB_OUTPUT
else
echo "SBOM up to date"
echo "SBOM_CHANGED=false" >> $GITHUB_OUTPUT
fi
- uses: EndBug/add-and-commit@v9
id: push-changes
if: steps.check-sbom.outputs.SBOM_CHANGED == 'true'
with:
message: 'Updated SBOM'

- name: Fail if SBOM changed and not commited
if: steps.check-sbom.outputs.SBOM_CHANGED == 'true' && steps.push-changes.outputs.pushed != 'true'
run: |
echo '::error:: SBOM changed, please download the artifacts and commit the new content'
exit 1
3 changes: 2 additions & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
exclude: SBOM/
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
rev: v4.4.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
Expand Down
2 changes: 2 additions & 0 deletions NOTICE-3RD-PARTY-CONTENT.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
| Dependency | Version | License |
|:-----------|:-------:|--------:|
|actions/checkout|v3|MIT License|
|actions/upload-artifact|v3|MIT License|
|devcontainers/ci|v0.2|MIT License|
|docker/login-action|v2|Apache License 2.0|
|docker/setup-buildx-action|v2|Apache License 2.0|
|EndBug/add-and-commit|v9|MIT License|
Loading

0 comments on commit bc64c59

Please sign in to comment.