feat(sbom): Send results within the entrypoint.sh

aquasecurity · Jun 20, 2022 · 6f9d699 · 6f9d699
1 parent dbb62d8
commit 6f9d699
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/action.yaml b/action.yaml
@@ -82,6 +82,9 @@ inputs:
   artifact-type:
     description: 'input artifact type (image, fs, repo, archive) for SBOM generation'
     required: false
+  github-pat:
+    description: 'GitHub Personal Access Token (PAT) needed if submitting SBOM to GitHub Dependency Snapshot API'
+    required: false
 
 runs:
   using: 'docker'
@@ -108,3 +111,4 @@ runs:
     - '-s ${{ inputs.security-checks }}'
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.artifact-type }}'
+    - '-v ${{ inputs.github-pat }}'
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -65,6 +65,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
        u)
          export artifactType=${OPTARG}
        ;;
+       v)
+         export githubPAT=${OPTARG}
+       ;;
   esac
 done
 
@@ -172,4 +175,9 @@ if [[ "${format}" == "sarif" ]]; then
   trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
 fi
 
+if [[ "${format}" == "github" ]]; then
+  echo "Uploading GitHub Dependency Snapshot"
+  curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./dependency-results.sbom.json
+fi
+
 exit $returnCode