NHSDigital · chrisbloe · Oct 8, 2025 · Oct 1, 2025 · Oct 1, 2025 · Oct 8, 2025
@@ -0,0 +1,104 @@
+name: 'Z-AUTOMATED: SBOM Repo Scan'
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  actions: read   # Required for anchore/sbom-action
+  contents: write # Required for anchore/sbom-action
+  id-token: write # Required for requesting the JWT
+  pull-requests: write
+
+jobs:
+  sbom_scan:
+    name: SBOM Repo Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+
+      - uses: anchore/sbom-action@v0
+        with:
+          path: "."
+          format: cyclonedx-json
+          output-file: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json
+
+      - uses: anchore/scan-action@v7
+        id: sbom-scan
+        with:
+          sbom: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json
+          fail-build: true
+          severity-cutoff: low
+          only-fixed: true
+          output-format: sarif
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.sbom-scan.outputs.sarif }}
+
+      - name: Add/Update SBOM failure comment
+        uses: actions/github-script@v8
+        if: always() && failure()
+        with:
+          script: |
+            // 1. Retrieve existing bot comments for the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
+            })
+
+            // 2. Prepare format of the comment
+            const output = `### Code security issues found
+
+            View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`;
+
+            // 3. If we have a comment, update it, otherwise create a new one
+            if (botComment) {
+              github.rest.issues.deleteComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: output
+              })
+            }
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Delete SBOM failure comment
+        uses: actions/github-script@v8
+        if: always() && success()
+        with:
+          script: |
+            // 1. Retrieve existing bot comments for the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
+            })
+
+            // 2. If we have a comment, update it, otherwise create a new one
+            if (botComment) {
+              github.rest.issues.deleteComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id
+              })
+            }
@@ -5,9 +5,10 @@ on:
     - cron: 30 4 * * 1-5
 
 permissions:
+  actions: read   # Required for anchore/sbom-action
+  contents: write # Required for anchore/sbom-action
   pull-requests: write
-  id-token: write 
-  contents: read
+  id-token: write
 
 jobs:
   set_workspace: