-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
77 lines (74 loc) · 3.22 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: "sbom.sh Generate, Scan and Share SBOM"
description: "SBOM.sh - Generate and upload SBOM to sbom.sh using Trivy, Syft, or Grype"
inputs:
scan_type:
description: 'Type of scan (trivyfs, trivyimage, grypefs, grypeimage, syftfs, syftimage)'
required: true
default: 'trivyfs'
target:
description: 'Scan target (applicable for image scans)'
required: false
default: ''
outputs:
sbom_url:
description: "The URL of the generated SBOM"
runs:
using: 'composite'
steps:
- name: Install Dependencies
run: |
if [ "${{ inputs.scan_type }}" = "trivyfs" ] || [ "${{ inputs.scan_type }}" = "trivyimage" ]; then
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
fi
if [ "${{ inputs.scan_type }}" = "grypefs" ] || [ "${{ inputs.scan_type }}" = "grypeimage" ]; then
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
fi
if [ "${{ inputs.scan_type }}" = "syftfs" ] || [ "${{ inputs.scan_type }}" = "syftimage" ]; then
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
fi
shell: bash
- name: Generate SBOM and return unique https://sbom.sh URL
run: |
GIT_COMMIT=$(git rev-parse HEAD)
REPO_SLUG=$(basename $(git rev-parse --show-toplevel))
case "${{ inputs.scan_type }}" in
trivyfs)
scan_cmd="trivy fs ${{ inputs.target }} -f cyclonedx --scanners vuln -q"
;;
trivyimage)
scan_cmd="trivy image ${{ inputs.target }} -f cyclonedx --scanners vuln -q"
;;
grypefs)
scan_cmd="grype ${{ inputs.target }} -o cyclonedx-json -q"
;;
grypeimage)
scan_cmd="grype registry:${{ inputs.target }} -o cyclonedx-json -q"
;;
syftfs)
scan_cmd="syft ${{ inputs.target }} -o cyclonedx-json -q"
;;
syftimage)
scan_cmd="syft registry:${{ inputs.target }} -o cyclonedx-json -q"
;;
esac
if [[ "${{ inputs.scan_type }}" == "trivyfs" || "${{ inputs.scan_type }}" == "grypefs" || "${{ inputs.scan_type }}" == "syftfs" ]]; then
SCAN_OUTPUT=$(eval "$scan_cmd")
MODIFIED_OUTPUT=$(echo "$SCAN_OUTPUT" | jq --arg git_commit "$GIT_COMMIT" --arg repo_slug "$REPO_SLUG" '
.metadata.component."bom-ref" = $git_commit |
.metadata.component.name = $repo_slug
')
RESPONSE=$(echo "$MODIFIED_OUTPUT" | curl -sd @- "$SBOM_SH_SERVER" -H "Content-Type: application/json")
else
RESPONSE=$(eval "$scan_cmd" | curl -sd @- "$SBOM_SH_SERVER" -H "Content-Type: application/json")
fi
SBOM_SHARE_URL=$(echo "$RESPONSE" | jq -r '.ShareUrl')
echo "SBOM_SHARE_URL=$SBOM_SHARE_URL" >> $GITHUB_ENV
shell: bash
env:
SBOM_SH_SERVER: 'https://sbom.sh'
SCAN_TYPE: ${{ inputs.scan_type }}
TARGET: ${{ inputs.target }}
GITHUB_WORKSPACE: ${{ github.workspace }}
- name: Output SBOM URL
run: echo "The SBOM can be found at $SBOM_SHARE_URL"
shell: bash