Skip to content

Fixes syntax

Fixes syntax #18

Workflow file for this run

---
name: Phase 1 - Python
on: [push]
env:
TRIVY_VERSION: 0.18.3
jobs:
Container:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# We're using native docker build here rather
# than 'docker/build-push-action' to make the run
# more pipeline agnostic.
- name: Build Docker image
working-directory: "Phase 1/Python"
run: |
docker build -t phase_1_python .
- name: Install Trivy
run: |
curl -o /tmp/trivy.tgz "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/trivy_$TRIVY_VERSION_Linux-64bit.tar.gz"
tar xvf /tmp/trivy.tgz -C /tmp
chmod +x /tmp/trivy
- name: Generate SBOM with Trivy
working-directory: "Phase 1/Python"
run: |
trivy image \
--format cyclonedx \
--output /tmp/container-sbom_cyclonedx.json \
phase-1-python
trivy image \
--format spdx-json \
--output /tmp/container-sbom_spdx.json \
phase-1-python
- name: Upload CycloneDX SBOM
uses: actions/upload-artifact@v4
with:
name: container-sbom-cyclonedx
path: "/tmp/container-sbom_cyclonedx.json"
- name: Upload SPDX SBOM
uses: actions/upload-artifact@v4
with:
name: container-sbom-spdx
path: "/tmp/container-sbom_spdx.json"
Application:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Should probably pin this dependency
- name: "CycloneDX: Install Dependency"
working-directory: "Phase 1/Python"
run: |
python -m pip install cyclonedx-bom
- name: Install Trivy
run: |
curl -o /tmp/trivy.tgz "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/trivy_$TRIVY_VERSION_Linux-64bit.tar.gz"
tar xvf /tmp/trivy.tgz -C /tmp
chmod +x /tmp/trivy
- name: "CycloneDX: Generate SBOM"
working-directory: "Phase 1/Python"
run: |
trivy fs \
--format cyclonedx \
--output /tmp/application-sbom_cyclonedx.json \
requirements.txt
- name: "SPDX: Generate SBOM"
working-directory: "Phase 1/Python"
run: |
trivy fs \
--format spdx-json \
--output /tmp/application-sbom_spdx.json \
requirements.txt
- name: Upload CycloneDX SBOM
uses: actions/upload-artifact@v4
with:
name: application-sbom-cyclonedx
path: "/tmp/application-sbom_cyclonedx.json"
- name: Upload SPDDX SBOM
uses: actions/upload-artifact@v4
with:
name: application-sbom-spdx
path: "/tmp/application-sbom_spdx.json"
Assemble:
runs-on: ubuntu-latest
needs: [Container, Application]
steps:
- uses: actions/checkout@v4
# Should probably pin this dependency
- name: "Install sbommerge"
run: |
python -m pip install sbommerge
- name: Download all workflow run artifacts
uses: actions/download-artifact@v4
- name: "Debug: SBOMs"
run: |
find . -iname *.json
- name: "CycloneDX: Generate Merged SBOM"
run: |
sbommerge \
--format json \
--sbom cyclonedx \
--output-file /tmp/flattened-cyclonedx.json \
container-sbom-cyclonedx/container-sbom_cyclonedx.json \
application-sbom-cyclonedx/application-sbom_cyclonedx.json
- name: Upload Combined CycloneDX SBOM
uses: actions/upload-artifact@v4
with:
name: flattened-sbom-cyclonedx
path: "/tmp/flattened-cyclonedx.json"
Validate:
needs: Assemble
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download flattened Cyclone DX artifact
uses: actions/download-artifact@v4
with:
name: flattened-sbom-cyclonedx
- name: "Debug: SBOMs"
run: |
find . -iname *.json