Fixes curl command #20
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Phase 1 - Python | |
on: [push] | |
env: | |
TRIVY_VERSION: 0.18.3 | |
jobs: | |
Container: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
# We're using native docker build here rather | |
# than 'docker/build-push-action' to make the run | |
# more pipeline agnostic. | |
- name: Build Docker image | |
working-directory: "Phase 1/Python" | |
run: | | |
docker build -t phase_1_python . | |
- name: Install Trivy | |
run: | | |
curl -L -o /tmp/trivy.tgz \ | |
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | |
tar xvf /tmp/trivy.tgz -C /tmp | |
chmod +x /tmp/trivy | |
- name: Generate SBOM with Trivy | |
working-directory: "Phase 1/Python" | |
run: | | |
trivy image \ | |
--format cyclonedx \ | |
--output /tmp/container-sbom_cyclonedx.json \ | |
phase-1-python | |
trivy image \ | |
--format spdx-json \ | |
--output /tmp/container-sbom_spdx.json \ | |
phase-1-python | |
- name: Upload CycloneDX SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: container-sbom-cyclonedx | |
path: "/tmp/container-sbom_cyclonedx.json" | |
- name: Upload SPDX SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: container-sbom-spdx | |
path: "/tmp/container-sbom_spdx.json" | |
Application: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
# Should probably pin this dependency | |
- name: "CycloneDX: Install Dependency" | |
working-directory: "Phase 1/Python" | |
run: | | |
python -m pip install cyclonedx-bom | |
- name: Install Trivy | |
run: | | |
curl -L -o /tmp/trivy.tgz \ | |
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | |
tar xvf /tmp/trivy.tgz -C /tmp | |
chmod +x /tmp/trivy | |
- name: "CycloneDX: Generate SBOM" | |
working-directory: "Phase 1/Python" | |
run: | | |
trivy fs \ | |
--format cyclonedx \ | |
--output /tmp/application-sbom_cyclonedx.json \ | |
requirements.txt | |
- name: "SPDX: Generate SBOM" | |
working-directory: "Phase 1/Python" | |
run: | | |
trivy fs \ | |
--format spdx-json \ | |
--output /tmp/application-sbom_spdx.json \ | |
requirements.txt | |
- name: Upload CycloneDX SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: application-sbom-cyclonedx | |
path: "/tmp/application-sbom_cyclonedx.json" | |
- name: Upload SPDDX SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: application-sbom-spdx | |
path: "/tmp/application-sbom_spdx.json" | |
Assemble: | |
runs-on: ubuntu-latest | |
needs: [Container, Application] | |
steps: | |
- uses: actions/checkout@v4 | |
# Should probably pin this dependency | |
- name: "Install sbommerge" | |
run: | | |
python -m pip install sbommerge | |
- name: Download all workflow run artifacts | |
uses: actions/download-artifact@v4 | |
- name: "Debug: SBOMs" | |
run: | | |
find . -iname *.json | |
- name: "CycloneDX: Generate Merged SBOM" | |
run: | | |
sbommerge \ | |
--format json \ | |
--sbom cyclonedx \ | |
--output-file /tmp/flattened-cyclonedx.json \ | |
container-sbom-cyclonedx/container-sbom_cyclonedx.json \ | |
application-sbom-cyclonedx/application-sbom_cyclonedx.json | |
- name: Upload Combined CycloneDX SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: flattened-sbom-cyclonedx | |
path: "/tmp/flattened-cyclonedx.json" | |
Validate: | |
needs: Assemble | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download flattened Cyclone DX artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: flattened-sbom-cyclonedx | |
- name: "Debug: SBOMs" | |
run: | | |
find . -iname *.json |