chore(actions): cyclonedx sbom

ydataai · Mar 21, 2024 · 4007bac · 4007bac
1 parent 6ce7183
commit 4007bac
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 59 deletions.
diff --git a/.github/workflows/prereleased.yaml b/.github/workflows/prereleased.yaml
@@ -24,7 +24,6 @@ env:
 
   AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
   SBOM_FILENAME: docker-sbom
-  NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
 
 
 
@@ -92,26 +91,12 @@ jobs:
         load: true
         tags: ${{ env.DOCKER_IMAGE_TAG }}
 
-    - name: Create Docker SBOM
+    - name: Create SBOM
       uses: anchore/sbom-action@v0
       with:
         upload-artifact-retention: 1
-        image: ${{ steps.docker_build.outputs.imageId }}
-        format: spdx-json
-        upload-release-assets: false
-        output-file: ${{ env.SBOM_FILENAME }}.spdx.json
-
-    - name: Scan SBOM
-      id: scan_sbom
-      uses: anchore/scan-action@v3
-      with:
-        sbom: ${{ env.SBOM_FILENAME }}.spdx.json
-        output-format: sarif
-        fail-build: false
-
-    - name: Determine number of noticiable vulnerabilities
-      id: count_vulnerabilities
-      run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
+        format: cyclonedx-json
+        output-file: ${{ env.SBOM_FILENAME }}.cyclonedx.json
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
@@ -121,19 +106,7 @@ jobs:
 
     - name: Copy SBOM to S3
       run: |
-        aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
-        aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
-
-    - name: Update Notion Page
-      uses: ydataai/update-notion-page@v1
-      env:
-        STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
-        STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
-      with:
-        notion_secret: ${{ secrets.NOTION_SECRET }}
-        notion_database_id: ${{ env.NOTION_DATABASE_ID }}
-        notion_database_query_filter: '{  "property": "Repo",  "title": { "equals": "${{ github.event.repository.name }}" }  }'
-        notion_page_update_properties: '{  "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" }  }'
+        aws s3 cp ${{ env.SBOM_FILENAME }}.cyclonedx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ matrix.package }}-${{ env.SBOM_FILENAME }}.cyclonedx.json
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4

diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -3,19 +3,17 @@ name: Pull request
 
 
 on:
-  push:
-    branches:
-    - renovate/**
   pull_request:
     branches:
     - master
+    types:
+    - ready_for_review
 
 
 
 env:
   AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
   SBOM_FILENAME: package-sbom
-  NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
 
 
 
@@ -73,18 +71,12 @@ jobs:
         format: spdx-json
         output-file: ${{ env.SBOM_FILENAME }}.spdx.json
 
-    - name: Scan SBOM
-      id: scan_sbom
-      uses: anchore/scan-action@v3
+    - name: Create SBOM
+      uses: anchore/sbom-action@v0
       with:
-        sbom: ${{ env.SBOM_FILENAME }}.spdx.json
-        output-format: sarif
-        fail-build: false
-
-    - name: Determine number of noticiable vulnerabilities
-      id: count_vulnerabilities
-      run: |
-        echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
+        upload-artifact-retention: 1
+        format: cyclonedx-json
+        output-file: ${{ env.SBOM_FILENAME }}.cyclonedx.json
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
@@ -94,16 +86,4 @@ jobs:
 
     - name: Copy SBOM to S3
       run: |
-        aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
-        aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
-
-    - name: Update Notion Page
-      uses: ydataai/update-notion-page@v1
-      env:
-        STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
-        STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
-      with:
-        notion_secret: ${{ secrets.NOTION_SECRET }}
-        notion_database_id: ${{ env.NOTION_DATABASE_ID }}
-        notion_database_query_filter: '{  "property": "Repo",  "title": { "equals": "${{ github.event.repository.name }}" }  }'
-        notion_page_update_properties: '{  "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" }  }'
+        aws s3 cp ${{ env.SBOM_FILENAME }}.cyclonedx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.cyclonedx.json