Generate and upload SBOM #12
Conversation
.github/workflows/publish.yaml
Outdated
| - name: Create SBOM | ||
| run: syft charmed-postgresql_${{env.tag}}_amd64.rock -o spdx-json=charmed-postgresql_${{env.tag}}_amd64.rock.spdx.json | ||
| - name: Upload SBOM | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| path: "charmed-postgresql_${{env.tag}}_amd64.rock.spdx.json" | ||
| name: charmed-postgresql_${{env.tag}}_amd64.rock.spdx.json |
There was a problem hiding this comment.
There is an action that can do this, but there is a bug preventing usage with files anchore/sbom-action#389
|
Tested with a personal repo. The end result should look like this. |
There was a problem hiding this comment.
Unfortunately, we cannot merge it AS IS, as the workflow has access to GitHub secrets which will leak if https://raw.githubusercontent.com/anchore/syft/main/install.sh is compromised.
We have to extract it into the separate workflow without secrets and exchange SBOM via artifacts. Security... Security... Security...
There was a problem hiding this comment.
Maybe we should merge this in the build workflow?
There was a problem hiding this comment.
I would say, we will have to merge it as shared data-platform-workflow one day.
Meanwhile, I would prefer to keep it as separate workflow to indicate PoC availability here.
There was a problem hiding this comment.
LGTM, @carlcsaposs-canonical can you please comment it from your side. Tnx!
There was a problem hiding this comment.
I would say, we will have to merge it as shared data-platform-workflow one day.
Meanwhile, I would prefer to keep it as separate workflow to indicate PoC availability here.
Issue
Generate SBOM manifests for future use by security auditing
Solution
Generate SBOM and upload as artefact in publish workflows