Skip to content

Create sbom.yml#24

Merged
mm-psy merged 4 commits intomainfrom
mm-psy-sbim
Dec 2, 2025
Merged

Create sbom.yml#24
mm-psy merged 4 commits intomainfrom
mm-psy-sbim

Conversation

@mm-psy
Copy link
Owner

@mm-psy mm-psy commented Dec 1, 2025

No description provided.

@github-actions
Copy link

github-actions bot commented Dec 1, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 08eba0b27e820071cde6df949e0beb9ba4906955 🟢 6.3
Details
CheckScoreReason
Maintained⚠️ 34 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Signed-Releases⚠️ -1no releases found
Fuzzing⚠️ 0project is not fuzzed
Security-Policy🟢 9security policy file detected
Pinned-Dependencies⚠️ 3dependency not pinned by hash detected -- score normalized to 3
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Vulnerabilities🟢 91 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/upload-artifact 4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 🟢 5.5
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 68 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Vulnerabilities⚠️ 46 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits

Scanned Files

  • .github/workflows/sbom.yml

@mm-psy mm-psy changed the title Create main.yml Create sbom.yml Dec 1, 2025
@mm-psy mm-psy requested a review from Copilot December 2, 2025 12:59
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces automated Software Bill of Materials (SBOM) generation using CycloneDX's cdxgen tool. The workflow triggers on pushes to main/release branches and version tags, generating an SBOM artifact for dependency tracking and security compliance.

Key changes:

  • New GitHub Actions workflow that runs on push events to main, release branches, and version tags
  • Integration of CycloneDX cdxgen tool via Docker to generate SBOM in JSON format
  • Automatic artifact upload of generated SBOM for downstream consumption

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/sbom.yml Outdated
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

- name: Generate SBOM
run: docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /tmp/bom.json
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Docker command uses $(pwd) for volume mounting, which can fail in GitHub Actions runners and poses a potential security risk by mounting the entire workspace with read-write permissions. Use ${{ github.workspace }} instead and consider using read-only mounting (:ro) for the source directory.

Suggested change
run: docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /tmp/bom.json
run: docker run --rm -v /tmp:/tmp -v ${{ github.workspace }}:/app:ro -t ghcr.io/cyclonedx/cdxgen -r /app -o /tmp/bom.json

Copilot uses AI. Check for mistakes.
.github/workflows/sbom.yml Outdated
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

- name: Generate SBOM
run: docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /tmp/bom.json
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cdxgen Docker image is not pinned to a specific version or digest, which can lead to unpredictable behavior and potential security issues. Pin the image to a specific version tag or SHA256 digest (e.g., ghcr.io/cyclonedx/cdxgen@sha256:... or ghcr.io/cyclonedx/cdxgen:v10.0.0).

Suggested change
run: docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /tmp/bom.json
run: docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:v10.0.0 -r /app -o /tmp/bom.json

Copilot uses AI. Check for mistakes.
@mm-psy
Update .github/workflows/sbom.yml
b9f73e9 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@mm-psy mm-psy requested a review from Copilot December 2, 2025 13:06
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mm-psy mm-psy requested a review from Copilot December 2, 2025 13:09
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mm-psy mm-psy merged commit 9e90ccc into main Dec 2, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mm-psy