New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate and upload SBOM #12
Conversation
.github/workflows/publish.yaml
Outdated
- name: Create SBOM | ||
run: syft charmed-postgresql_${{env.tag}}_amd64.rock -o spdx-json=charmed-postgresql_${{env.tag}}_amd64.rock.spdx.json | ||
- name: Upload SBOM | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
path: "charmed-postgresql_${{env.tag}}_amd64.rock.spdx.json" | ||
name: charmed-postgresql_${{env.tag}}_amd64.rock.spdx.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an action that can do this, but there is a bug preventing usage with files anchore/sbom-action#389
Tested with a personal repo. The end result should look like this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, we cannot merge it AS IS, as the workflow has access to GitHub secrets which will leak if https://raw.githubusercontent.com/anchore/syft/main/install.sh is compromised.
We have to extract it into the separate workflow without secrets and exchange SBOM via artifacts. Security... Security... Security...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should merge this in the build
workflow?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say, we will have to merge it as shared data-platform-workflow one day.
Meanwhile, I would prefer to keep it as separate workflow to indicate PoC availability here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, @carlcsaposs-canonical can you please comment it from your side. Tnx!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say, we will have to merge it as shared data-platform-workflow one day.
Meanwhile, I would prefer to keep it as separate workflow to indicate PoC availability here.
Issue
Generate SBOM manifests for future use by security auditing
Solution
Generate SBOM and upload as artefact in publish workflows