Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support cataloging github workflow & github action usages #1896

Closed
FirelightFlagboy opened this issue Jun 27, 2023 · 1 comment · Fixed by #2140
Closed

Support cataloging github workflow & github action usages #1896

FirelightFlagboy opened this issue Jun 27, 2023 · 1 comment · Fixed by #2140
Assignees
@wagoodman
Labels
enhancement New feature or request new-cataloger

Comments

@FirelightFlagboy
Copy link

What would you like to be added

I would like that syft was able to index github workflow & github action file to list github action dependencies when generating a SBOM.

I think 2 new type could be added:

Why is this needed

I think that pipeline should also be integrated in the SBOM generation as they're dependencies for a project (e.g: If a pipeline build the final application, generate files, ...).

Additional context

For github action:

steps:
  # Reference a specific commit
  - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
  # Reference the major version of a release
  - uses: actions/checkout@v3
  # Reference a specific version
  - uses: actions/checkout@v3.2.0
  # Reference a branch
  - uses: actions/checkout@main

Syft would have generated the following output:

Name Version Type
actions/checkout 8f4b7f84864484a7bf31766abe9204da3cbe65b3 github-actions
actions/checkout v3 github-actions
actions/checkout v3.2.0 github-actions
actions/checkout main github-actions

For github workflow

jobs:
  call-workflow-1-in-local-repo:
    uses: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89
  call-workflow-2-in-local-repo:
    uses: ./.github/workflows/workflow-2.yml
  call-workflow-in-another-repo:
    uses: octo-org/another-repo/.github/workflows/workflow.yml@v1

Syft would have parsed:

Name Version Type
octo-org/this-repo/.github/workflows/workflow-1.yml 172239021f7ba04fe7327647b213799853a9eb89 github-workflows
./.github/workflows/workflow-2.yml checksum of the local file 🤔 ? github-workflows
octo-org/another-repo/.github/workflows/workflow.yml v1 github-workflows
@FirelightFlagboy FirelightFlagboy added the enhancement New feature or request label Jun 27, 2023
@kzantow
Copy link
Contributor

kzantow commented Jun 30, 2023

This seems like an interesting idea! A couple of points:

  • Syft indexing these files would probably be fairly easy if we could search for a pattern like .github/workflow/*.yml, etc.
  • I don't think these will be able to match very many (if any) vulnerability records

We would love to discuss this more. Would you be able to attend one of our community meetings or reach out on our community slack?

@wagoodman wagoodman mentioned this issue Sep 15, 2023
Merged
@wagoodman wagoodman self-assigned this Sep 15, 2023
@wagoodman wagoodman changed the title Support indexing github workflow & github action for SBOM Support cataloging github workflow & github action usages Sep 15, 2023
@chenrui333 chenrui333 mentioned this issue Sep 21, 2023
Merged
@aerabi aerabi mentioned this issue Apr 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wagoodman wagoodman

Labels
enhancement New feature or request new-cataloger
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add GitHub actions and shared workflow usage catalogers anchore/syft
3 participants
@wagoodman @kzantow @FirelightFlagboy