-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
124 lines (109 loc) · 4.72 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
name: 'SBOMinify'
description: 'A GitHub Action to capture and list installed packages and their versions in a Docker image.'
author: 'DockForge <dublokcom@gmail.com>'
inputs:
images:
description: "Comma-separated list of Docker images to scan"
required: true
github_token:
description: "GitHub token for authentication"
required: true
output_path:
description: "Path to store the SBOM files"
required: false
default: ""
sbom_file_prefix:
description: "Prefix for the SBOM files"
required: false
default: ""
sbom_file_suffix:
description: "Suffix for the SBOM files"
required: false
default: ""
sbom_file_name:
description: "Name for the SBOM files"
required: false
default: "[REPOSITORY]_[TAG]"
runs:
using: "composite"
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.6
- name: Install syft
shell: bash
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Parse image names
id: parse_images
shell: bash
run: |
IFS=',' read -ra IMAGES <<< "${{ inputs.images }}"
for image in "${IMAGES[@]}"; do
echo "IMAGE=$image" >> $GITHUB_ENV
done
- name: Create output directory
shell: bash
run: |
mkdir -p $GITHUB_WORKSPACE/${{ inputs.output_path }}
- name: Scan Docker images with syft
shell: bash
run: |
IFS=',' read -ra IMAGES <<< "${{ inputs.images }}"
for image in "${IMAGES[@]}"; do
IFS=':' read -r -a IMAGE <<< "$image"
REPOSITORY=${IMAGE[0]}
TAG=${IMAGE[1]}
filename=$(echo ${{ inputs.sbom_file_name }} | sed "s|\\[REPOSITORY\\]|$REPOSITORY|g" | sed "s|\\[TAG\\]|$TAG|g")
filename=${{ inputs.sbom_file_prefix }}$filename${{ inputs.sbom_file_suffix }}
syft $image --scope all-layers -o syft-table > $GITHUB_WORKSPACE/${{ inputs.output_path }}/$filename.txt
syft $image --scope all-layers -o json | jq '.' > $GITHUB_WORKSPACE/${{ inputs.output_path }}/$filename.json
echo "Created files: $GITHUB_WORKSPACE/${{ inputs.output_path }}/$filename.txt and $GITHUB_WORKSPACE/${{ inputs.output_path }}/$filename.json"
done
- name: List directory for debugging
shell: bash
run: |
ls -la $GITHUB_WORKSPACE/${{ inputs.output_path }}
- name: Commit and push changes
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github_token }}
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
# Create a temporary directory for copying files
TEMP_DIR=$(mktemp -d)
# Copy SBOM files to the temporary directory
IFS=',' read -ra IMAGES <<< "${{ inputs.images }}"
for image in "${IMAGES[@]}"; do
IFS=':' read -r -a IMAGE <<< "$image"
REPOSITORY=${IMAGE[0]}
TAG=${IMAGE[1]}
filename=$(echo ${{ inputs.sbom_file_name }} | sed "s|\\[REPOSITORY\\]|$REPOSITORY|g" | sed "s|\\[TAG\\]|$TAG|g")
filename=${{ inputs.sbom_file_prefix }}$filename${{ inputs.sbom_file_suffix }}
cp $GITHUB_WORKSPACE/${{ inputs.output_path }}/$filename.txt $TEMP_DIR/$filename.txt || echo "Failed to copy $filename.txt"
cp $GITHUB_WORKSPACE/${{ inputs.output_path }}/$filename.json $TEMP_DIR/$filename.json || echo "Failed to copy $filename.json"
done
# Fetch and checkout the default branch
git fetch origin $DEFAULT_BRANCH
git checkout $DEFAULT_BRANCH
# Copy SBOM files from the temporary directory to the workspace
cp $TEMP_DIR/*.txt $GITHUB_WORKSPACE/${{ inputs.output_path }}/ || echo "Failed to copy txt files"
cp $TEMP_DIR/*.json $GITHUB_WORKSPACE/${{ inputs.output_path }}/ || echo "Failed to copy json files"
# Add, commit, and push the changes to the default branch
git add $GITHUB_WORKSPACE/${{ inputs.output_path }}/*.txt || echo "Failed to add txt files"
git add $GITHUB_WORKSPACE/${{ inputs.output_path }}/*.json || echo "Failed to add json files"
git status
git commit -m "Update SBOM files for images: ${{ inputs.images }}."
git push origin $DEFAULT_BRANCH
# Check if the current ref is a tag
if [[ ${{ github.ref }} == refs/tags/* ]]; then
TAG_NAME=${{ github.ref }}
TAG_NAME=${TAG_NAME/refs\/tags\//}
# Update the tag to point to the latest commit on the default branch
git tag -f $TAG_NAME
git push origin -f $TAG_NAME
fi
branding:
icon: 'package'
color: 'red'