From aa1c5a0fb009dcb666dfca0e42a0268829574843 Mon Sep 17 00:00:00 2001 From: koppurvuris Date: Thu, 18 Sep 2025 10:21:36 +0100 Subject: [PATCH] sbom configuration --- .github/workflows/sbom.yml | 68 ++++++++++++++++++++++++++++++++++++++ scripts/create-sbom.sh | 19 +++++++++++ scripts/update-sbom.py | 21 ++++++++++++ 3 files changed, 108 insertions(+) create mode 100644 .github/workflows/sbom.yml create mode 100644 scripts/create-sbom.sh create mode 100644 scripts/update-sbom.py diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 0000000..46a7915 --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,68 @@ +name: SBOM Check + +on: + workflow_dispatch: + inputs: + environment: + description: "Run SBOM check" + required: true + type: choice + options: + - yes + - no + +env: + SYFT_VERSION: "1.27.1" + TF_VERSION: "1.12.2" + +jobs: + deploy: + name: Software Bill of Materials + runs-on: ubuntu-latest + permissions: + actions: read + contents: write + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Setup Python 3.13 + uses: actions/setup-python@v5 + with: + python-version: "3.13" + + - name: Setup Terraform + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd + + - uses: terraform-linters/setup-tflint@ae78205cfffec9e8d93fd2b3115c7e9d3166d4b6 + name: Setup TFLint + + - name: Set architecture variable + id: os-arch + run: | + case "${{ runner.arch }}" in + X64) ARCH="amd64" ;; + ARM64) ARCH="arm64" ;; + esac + echo "arch=${ARCH}" >> $GITHUB_OUTPUT + + - name: Download and setup Syft + run: | + DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz" + echo "Downloading: ${DOWNLOAD_URL}" + + curl -L -o syft.tar.gz "${DOWNLOAD_URL}" + tar -xzf syft.tar.gz + chmod +x syft + + # Add to PATH for subsequent steps + echo "$(pwd)" >> $GITHUB_PATH + + - name: Create SBOM + run: bash scripts/create-sbom.sh terraform python tflint + + - name: Upload SBOM as artifact + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.json \ No newline at end of file diff --git a/scripts/create-sbom.sh b/scripts/create-sbom.sh new file mode 100644 index 0000000..44ff031 --- /dev/null +++ b/scripts/create-sbom.sh @@ -0,0 +1,19 @@ +#!/bin/bash +set -euo pipefail +IFS=$'\n\t' + +REPO_ROOT=$(git rev-parse --show-toplevel) + +# Generate SBOM for current directory +syft -o spdx-json . > "$REPO_ROOT/sbom.json" + +# Generate and merge SBOMs for each tool passed as argument +for tool in "$@"; do + echo "Creating SBOM for $tool and merging" + tool_path=$(command -v "$tool") + if [[ -z "$tool_path" ]]; then + echo "Warning: '$tool' not found in PATH. Skipping." >&2 + continue + fi + syft -q -o spdx-json "$tool_path" | python "$REPO_ROOT/scripts/update-sbom.py" +done \ No newline at end of file diff --git a/scripts/update-sbom.py b/scripts/update-sbom.py new file mode 100644 index 0000000..31042d1 --- /dev/null +++ b/scripts/update-sbom.py @@ -0,0 +1,21 @@ +import json +import sys +from pathlib import Path + + +def main() -> None: + with Path("sbom.json").open("r") as f: + sbom = json.load(f) + + tool = json.loads(sys.stdin.read()) + + sbom.setdefault("packages", []).extend(tool.setdefault("packages", [])) + sbom.setdefault("files", []).extend(tool.setdefault("files", [])) + sbom.setdefault("relationships", []).extend(tool.setdefault("relationships", [])) + + with Path("sbom.json").open("w") as f: + json.dump(sbom, f) + + +if __name__ == "__main__": + main()