From fd6706c7be68a87bb5bb8bada67f9bc6e09ccff6 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 09:07:23 +0200 Subject: [PATCH 1/3] implement CI sbom --- .github/workflows/release.yaml | 6 +++++ .github/workflows/sbom.yml | 47 ++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b04338aa..a9073548 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -52,6 +52,12 @@ jobs: draft: true generate_release_notes: true + create-sbom: + needs: [create-release] + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + build-linux: needs: - create-release diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 00000000..3769f517 --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,47 @@ +name: Create SBOM files + +on: + workflow_call: + inputs: + upload_url: + description: "Release assets upload url" + required: true + type: string + +jobs: + create-sbom: + runs-on: + - codebuild-defguard-client-runner-${{ github.run_id }}-${{ github.run_attempt }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Create SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + format: 'spdx-json' + output: "defguard-client-${{ env.VERSION }}.sbom.json" + scan-ref: '.' + severity: "CRITICAL,HIGH,MEDIUM" + + - name: Upload SBOM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ inputs.upload_url }} + asset_path: "defguard-client-${{ env.VERSION }}.sbom.json" + asset_name: "defguard-client-${{ env.VERSION }}.sbom.json" + asset_content_type: application/octet-stream + scanners: "vuln" From 40f9604259608b0ff6fe2f2b29dcf96d357cb580 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 09:03:00 +0200 Subject: [PATCH 2/3] run sbom on self-hosted workers --- .github/workflows/sbom.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 3769f517..a791d7d3 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -10,8 +10,7 @@ on: jobs: create-sbom: - runs-on: - - codebuild-defguard-client-runner-${{ github.run_id }}-${{ github.run_attempt }} + runs-on: self-hosted steps: - name: Checkout From 86832d226bce0379b6bd84469884cf21547ede09 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 10:23:56 +0200 Subject: [PATCH 3/3] use shogo82148/actions-upload-release-asset upload action --- .github/workflows/sbom.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index a791d7d3..3806208e 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -4,7 +4,7 @@ on: workflow_call: inputs: upload_url: - description: "Release assets upload url" + description: "Release assets upload URL" required: true type: string @@ -35,12 +35,10 @@ jobs: severity: "CRITICAL,HIGH,MEDIUM" - name: Upload SBOM - uses: actions/upload-release-asset@v1.0.2 + uses: shogo82148/actions-upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: "defguard-client-${{ env.VERSION }}.sbom.json" - asset_name: "defguard-client-${{ env.VERSION }}.sbom.json" + asset_path: "defguard-*.sbom.json" asset_content_type: application/octet-stream - scanners: "vuln"