Scan latest release SBOM #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan latest release SBOM | |
| # Find the latest release, pull its SBOM (if it exists), and scan the result. | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| grype: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Determine last release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh version | |
| LATEST_RELEASE=$(\ | |
| gh release list \ | |
| --repo ${{ github.repository }} \ | |
| --json tagName,name,isLatest \ | |
| --jq '.[] | select(.isLatest==true) | .tagName') | |
| echo LATEST_RELEASE="${LATEST_RELEASE}" | tee -a $GITHUB_ENV | |
| - name: Find Release SBOM | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| SBOM_URL=$(gh release view "${LATEST_RELEASE}" \ | |
| --repo ${{ github.repository }} \ | |
| --json assets \ | |
| --jq '.assets[] | select(.name | contains("sbom")) | .url') | |
| # TODO - handle a returned array if multiple SBOMS exist | |
| echo SBOM_URL="${SBOM_URL}" | tee -a $GITHUB_ENV | |
| - name: Pull SBOM | |
| run: wget "${SBOM_URL}" -O release.sbom | |
| - name: Scan SBOM | |
| id: scan | |
| uses: anchore/scan-action@v3 | |
| continue-on-error: true | |
| with: | |
| sbom: release.sbom | |
| # We will handle failures | |
| fail-build: true | |
| only-fixed: true | |
| by-cve: true | |
| severity-cutoff: ${{ vars.GRYPE_SEVERITY_CUTOFF || 'high' }} | |
| output-format: json | |
| - name: Notify on failure | |
| if: ${{ steps.scan.outcome == 'failure' }} | |
| run: | | |
| echo "TODO: implement notification!" |