Skip to content

Dynamic SBOM/SCA Anchore #2

Dynamic SBOM/SCA Anchore

Dynamic SBOM/SCA Anchore #2

## Scan a docker image -> get a SARIF/SBOM report based on
## what is actually referenced at runtime.
name: Dynamic SBOM/SCA Anchore
on:
workflow_dispatch:
inputs:
docker_image:
description: 'The Docker image to scan'
required: true
default: 'appsecco/dvna:sqlite'
# env:
# REGISTRY: ghcr.io
# IMAGE_NAME: ${{ github.repository }}
# SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
jobs:
anchore:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
## Optional: login if your image is private
# - name: Login to Dockerhub
# uses: docker/login-action@v3
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
# - name: Login to GHCR
# uses: docker/login-action@v3
# with:
# registry: ${{ env.REGISTRY }}
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}
# Pull the github input image or use the default
- name: Pull the image
run: docker pull ${{ github.event.inputs.docker_image }}
- name: Run the Anchore Grype scan action
uses: anchore/scan-action@v4
id: scan
with:
image: ${{ github.event.inputs.docker_image }}
fail-build: false
only-fixed: true
output-format: sarif
#severity-cutoff: critical
- name: Run the Anchore Syft sbom action
uses: anchore/sbom-action@v0
id: syft
with:
image: ${{ github.event.inputs.docker_image }}
format: spdx-json
output-file: sbom_anchore.spdx.json
upload-artifact: false
- name: mdsbom action
uses: ethan42/mdsbom-action@a2c9192003073408ace2827352e7a40e70896e1e
with:
workspace: forallsecure
mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
- name: Run software package for 10 seconds
run: timeout -s 2 10 docker -it ${{ github.event.inputs.docker_image }} || true
- name: Generate Dynamic SBOM/SCA reports
run: |
stat sbom_anchore.spdx.json && \
stat ${{ steps.scan.outputs.sarif }} && \
mdsbom report ${{ github.event.inputs.docker_image }} \
--workspace forallsecure \
--sca-report-source ${{ steps.scan.outputs.sarif }} \
--sbom-report-source sbom_anchore.spdx-json \
--sca-report-out dynamic_sca_anchore.sarif \
--sbom-report-out dynamic_sbom_anchore.spdx-json
- name: Upload SBOM file as an artifact
uses: actions/upload-artifact@v4
with:
name: dynamic_sbom_anchore.spdx.json
path: dynamic_sbom_anchore.spdx.json
- name: Upload SARIF file as an artifact
uses: actions/upload-artifact@v4
with:
name: dynamic_sca_anchore.sarif
path: dynamic_sca_anchore.sarif
# Only available on Github Enterprise or public repositories
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: dynamic_sca_anchore.sarif
category: Security/SCA
- name: SBOM upload
uses: advanced-security/[email protected]