diff --git a/.github/workflows/automated-sbom-repo-scan.yml b/.github/workflows/automated-sbom-repo-scan.yml new file mode 100644 index 000000000..714d9c31e --- /dev/null +++ b/.github/workflows/automated-sbom-repo-scan.yml @@ -0,0 +1,104 @@ +name: 'Z-AUTOMATED: SBOM Repo Scan' + +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + actions: read # Required for anchore/sbom-action + contents: write # Required for anchore/sbom-action + id-token: write # Required for requesting the JWT + pull-requests: write + +jobs: + sbom_scan: + name: SBOM Repo Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + + - uses: anchore/sbom-action@v0 + with: + path: "." + format: cyclonedx-json + output-file: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json + + - uses: anchore/scan-action@v7 + id: sbom-scan + with: + sbom: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json + fail-build: true + severity-cutoff: low + only-fixed: true + output-format: sarif + + - name: Upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: ${{ steps.sbom-scan.outputs.sarif }} + + - name: Add/Update SBOM failure comment + uses: actions/github-script@v8 + if: always() && failure() + with: + script: | + // 1. Retrieve existing bot comments for the PR + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + }) + + const botComment = comments.find(comment => { + return comment.user.type === 'Bot' && comment.body.includes('Code security issues found') + }) + + // 2. Prepare format of the comment + const output = `### Code security issues found + + View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`; + + // 3. If we have a comment, update it, otherwise create a new one + if (botComment) { + github.rest.issues.deleteComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: botComment.id, + body: output + }) + } + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + + - name: Delete SBOM failure comment + uses: actions/github-script@v8 + if: always() && success() + with: + script: | + // 1. Retrieve existing bot comments for the PR + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + }) + + const botComment = comments.find(comment => { + return comment.user.type === 'Bot' && comment.body.includes('Code security issues found') + }) + + // 2. If we have a comment, update it, otherwise create a new one + if (botComment) { + github.rest.issues.deleteComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: botComment.id + }) + } diff --git a/.github/workflows/cron-daily-health-check.yml b/.github/workflows/cron-daily-health-check.yml index 25d7f57fb..9b56ace08 100644 --- a/.github/workflows/cron-daily-health-check.yml +++ b/.github/workflows/cron-daily-health-check.yml @@ -5,9 +5,10 @@ on: - cron: 30 4 * * 1-5 permissions: + actions: read # Required for anchore/sbom-action + contents: write # Required for anchore/sbom-action pull-requests: write - id-token: write - contents: read + id-token: write jobs: set_workspace: