Add sbom-test workflow

sathiya-nhs · sathiya-nhs · commit 45b267d02e32 · 2025-11-25T17:29:37.000Z
diff --git a/.github/workflows/sbom-test.yml b/.github/workflows/sbom-test.yml
@@ -0,0 +1,62 @@
+
+name: SBOM Vulnerability Scanning
+
+on:
+  workflow_dispatch:
+
+jobs:
+  sbom:
+    runs-on: ubuntu-22.04
+    container:
+      image: python:3.13-slim
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Poetry and Tools
+        run: |
+          apt-get update && apt-get install -y curl
+          curl -sSL https://install.python-poetry.org | python3 -
+          export PATH="$HOME/.local/bin:$PATH"
+          pip install cyclonedx-bom grype tabulate
+
+      - name: Install dependencies
+        run: |
+          export PATH="$HOME/.local/bin:$PATH"
+          poetry install
+
+      # Generate SBOM in JSON
+      - name: Generate SBOM (CycloneDX)
+        run: |
+          cyclonedx-py --format json --output sbom.json
+
+      # Convert SBOM JSON to CSV
+      - name: Convert SBOM JSON to CSV
+        run: |
+          python .github/scripts/sbom_json_to_csv.py sbom.json sbom.csv
+
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-files
+          path: |
+            sbom.json
+            sbom.csv
+
+      # Scan SBOM for vulnerabilities
+      - name: Scan SBOM for Vulnerabilities
+        run: |
+          grype sbom:sbom.json -o json > grype-report.json
+
+      # Convert Grype JSON to CSV
+      - name: Convert Grype JSON to CSV
+        run: |
+          python .github/scripts/grype_json_to_csv.py grype-report.json grype-report.csv
+
+      - name: Upload Vulnerability Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: grype-report
+          path: |
+            grype-report.json
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -18,11 +18,7 @@ env:
 jobs:
   deploy:
     name: Software Bill of Materials
-    runs-on: ubuntu-22.04
-
-    container:
-      image: python:3.13-slim
-
+    runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: write
@@ -111,9 +107,4 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: sbom-packages
-          path: sbom-packages-${{ github.event.repository.name }}.csv
-
-      - name: Debug Go version
-        run: |
-          go version
-          go list std
+          path: sbom-packages-${{ github.event.repository.name }}.csv
