feat: publish sbom to dtrack #767
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Publish SBOM to Dependency-Track | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Checkout project | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install additional libraries | ||
| uses: ./.github/actions/install-packages | ||
|
|
||
| - name: Node version ${{ env.NODE_VERSION }} | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ env.NODE_VERSION }} | ||
|
|
||
| - run: npm install | ||
| - name: Create SBOM with CycloneDX | ||
| run: npx @cyclonedx/cyclonedx-npm -o bom.xml --of=XML | ||
|
|
||
| - name: Get the current project version from package.json | ||
| id: get-version | ||
| run: | | ||
| echo "version=$(jq -r .version package.json)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Publish SBOM to Dependency-Track | ||
| uses: DependencyTrack/gh-upload-sbom@v3 | ||
| with: | ||
| serverhostname: ${{ secrets.DEPENDENCYTRACK_HOSTNAME }} | ||
| apikey: ${{ secrets.DEPENDENCYTRACK_APIKEY }} | ||
| projectname: 'Kuzzle SDK JavaScript' | ||
| projectversion: '${{ steps.get-version.outputs.version }}' | ||
| bomfilename: "./bom.xml" | ||
| autocreate: true No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
To fix this issue, add a permissions block defining the minimal privilege set required for this workflow. According to the types of actions in the workflow (checking out the code, installing packages, running commands, uploading artifacts, and publishing to Dependency-Track), the only operation that might require the GITHUB_TOKEN is the actions/checkout step, which by default requires read access to repository contents. None of the other steps (including publishing to Dependency-Track) use the token. Thus, setting permissions: contents: read at the job level for publish-sbom-to-dtrack is appropriate and aligns with least privilege principles. You need to edit the workflow YAML to add this block under the job definition, directly above runs-on:.
| @@ -12,6 +12,8 @@ | ||
| jobs: | ||
| publish-sbom-to-dtrack: | ||
| name: Publish SBOM to Dependency-Track | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Checkout project |
alexandrebouthinon
left a comment
alexandrebouthinon
left a comment
There was a problem hiding this comment.
You could upgrade the checkout and node installation actions
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| on: | ||
| release: | ||
| types: | ||
| - released | ||
| - prereleased |
There was a problem hiding this comment.
The workflow subscribes only to release event types released and prereleased, so a standard release creation (published action) never triggers this job. That means publishing a normal release will not generate or upload an SBOM, defeating the purpose of the workflow unless the release is first flagged as a prerelease and later promoted. Consider including the published type so SBOMs are produced for regular release publishes.
Useful? React with 👍 / 👎.
Co-authored-by: Alexandre Bouthinon <bouthinon.alexandre@gmail.com>
Co-authored-by: Alexandre Bouthinon <bouthinon.alexandre@gmail.com>
|
🎉 This PR is included in version 7.17.0-beta.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 7.17.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Overview
Add an SBOM workflow