Dynamic SBOM/SCA Scout #2

Summary
Jobs
- mdsbom
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/dynamic_sbom_sca_scout.yml at 0d37435

	## Scan a docker image -> get a SARIF/SBOM report

	name: Dynamic SBOM/SCA Scout

	on:
	workflow_dispatch:
	inputs:
	docker_image:
	description: 'The Docker image to scan'
	required: true
	default: 'appsecco/dvna:sqlite'

	# env:
	# REGISTRY: ghcr.io
	# IMAGE_NAME: ${{ github.repository }}
	# SHA: ${{ github.event.pull_request.head.sha \|\| github.event.after }}

	jobs:
	mdsbom:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	security-events: write

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Login to Dockerhub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	# - name: Login to GHCR
	# uses: docker/login-action@v3
	# with:
	# registry: ${{ env.REGISTRY }}
	# username: ${{ github.actor }}
	# password: ${{ secrets.GITHUB_TOKEN }}

	# Pull the github input image or use the default
	- name: Pull the image
	run: docker pull ${{ github.event.inputs.docker_image }}

	- name: Docker Scout
	uses: docker/scout-action@v1
	with:
	command: cves,recommendations,compare,sbom
	image: ${{ github.event.inputs.docker_image }}
	#only-severities: critical,high # only show critical and high CVEs
	#only-fixed: true # filter to fixed CVEs
	exit-code: false # fail or not based on CVEs found?
	sarif-file: sca_scout.sarif
	output: sbom_scout.spdx.json
	format: spdx

	- name: mdsbom action
	uses: ethan42/mdsbom-action@a2c9192003073408ace2827352e7a40e70896e1e
	with:
	workspace: forallsecure
	mayhem-token: ${{ secrets.MAYHEM_TOKEN }}

	- name: Run software package for 10 seconds
	run: timeout -s 9 10 docker run -i ${{ github.event.inputs.docker_image }} \|\| true

	- name: Pause to let mdsbom sync state
	run: sleep 30

	- name: Generate DSBOM report
	run: \|
	stat sbom_scout.spdx.json && \
	stat sca_scout.sarif && \
	mdsbom report ${{ github.event.inputs.docker_image }} \
	--workspace forallsecure \
	--sca-report-source sca_scout.sarif \
	--sbom-report-source sbom_scout.spdx.json \
	--sca-report-out dynamic_sca_scout.sarif \
	--sbom-report-out dynamic_sbom_scout.spdx.json

	- name: Upload SBOM file as an artifact
	uses: actions/upload-artifact@v4
	with:
	name: dynamic_sbom_scout.spdx.json
	path: dynamic_sbom_scout.spdx.json

	- name: Upload SARIF file as an artifact
	uses: actions/upload-artifact@v4
	with:
	name: dynamic_sca_scout.sarif
	path: dynamic_sca_scout.sarif

	# Only available on Github Enterprise or public repositories
	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: dynamic_sca_scout.sarif
	category: Security/SCA

	- name: SBOM upload
	uses: advanced-security/[email protected]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dynamic SBOM/SCA Scout #2

Workflow file

Dynamic SBOM/SCA Scout #2

Jobs

Run details

Workflow file for this run