-
Notifications
You must be signed in to change notification settings - Fork 0
9. Integrating SBOM Generation & Security Scanning into Your Container
To fully automate SBOM generation and security scanning in your CI/CD pipeline, we'll integrate Apko, Syft, and Trivy into GitHub Actions. This ensures:
✅ Every build has an SBOM
✅ Security vulnerabilities are detected early
✅ Compliance with security best practices
Before integrating into CI/CD, install the necessary tools locally for testing:
# Install Syft (SBOM Generator)
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Install Trivy (SBOM + Vulnerability Scanner)
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/install.sh | sh
# Verify installation
syft version
trivy versionNow, let’s integrate these tools into GitHub Actions.
Add this YAML file to .github/workflows/sbom-security.yml:
name: SBOM and Security Scan
on:
push:
branches:
- main
pull_request:
jobs:
sbom_scan:
name: Generate SBOM & Scan for Vulnerabilities
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Set Up Docker BuildX
uses: docker/setup-buildx-action@v2
- name: Build Container Image
run: |
docker build -t my-container:latest .
- name: Install Syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Generate SBOM with Syft
run: |
syft my-container:latest -o spdx-json > sbom.json
- name: Upload SBOM as Artifact
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.json
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/install.sh | sh
- name: Scan Image for Vulnerabilities with Trivy
run: |
trivy image --format table my-container:latest
- name: Fail if Critical Vulnerabilities Found
run: |
if trivy image --exit-code 1 --severity CRITICAL my-container:latest; then
echo "Critical vulnerabilities found!"
exit 1
fi🔹 Builds the container image
🔹 Generates an SBOM (SPDX format) with Syft
🔹 Uploads the SBOM as a GitHub Action artifact
🔹 Scans the image for vulnerabilities with Trivy
🔹 Fails the CI/CD pipeline if critical vulnerabilities are found
1️⃣ Commit & Push the Workflow
git add .github/workflows/sbom-security.yml
git commit -m "Add SBOM and Security Scanning workflow"
git push origin main2️⃣ Trigger the Workflow
- Push a change or open a pull request to trigger the workflow.
- Check GitHub Actions (
Actionstab) for results.
For GitLab CI/CD (.gitlab-ci.yml):
stages:
- build
- security
build:
stage: build
script:
- docker build -t my-container:latest .
sbom:
stage: security
script:
- curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- syft my-container:latest -o spdx-json > sbom.json
artifacts:
paths:
- sbom.json
trivy_scan:
stage: security
script:
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/install.sh | sh
- trivy image --exit-code 1 --severity CRITICAL my-container:latestTo sign the SBOM (ensuring it hasn't been tampered with), use Cosign:
cosign sign --key cosign.key sbom.json
cosign verify --key cosign.pub sbom.json🔒 This ensures the SBOM isn't altered after generation.
✅ Deploy this workflow to GitHub Actions
✅ Use SBOM to monitor dependencies and vulnerabilities
✅ Set up automated alerts for CVE patches