Skip to content
Generate SBOM with Anchore (Syft and Grype) and load into ScanCode.io

[CRAVEX] SCA Integrations: Anchore #6

Sign in to view logs

[CRAVEX] SCA Integrations: Anchore

[CRAVEX] SCA Integrations: Anchore #6

Workflow file for this run

.github/workflows/sca-integration-anchore.yml at 1a90193
name: Generate SBOM with Anchore (Syft and Grype) and load into ScanCode.io
on:
workflow_dispatch:
pull_request:
push:
branches:
- main
permissions:
contents: read
env:
IMAGE_REFERENCE: "python:3.13.0-slim"
jobs:
generate-and-load-sbom:
runs-on: ubuntu-24.04
steps:
# - name: Generate CycloneDX SBOM with Anchore Syft
# uses: anchore/sbom-action@v0
# with:
# image: ${{ env.IMAGE_REFERENCE }}
# format: cyclonedx-json
# output-file: "${{ github.event.repository.name }}-sbom.cdx.json"
# artifact-name: "anchore-sylt-sbom.cdx.json"
# upload-artifact: true
#
# - name: Scan SBOM with Grype scanner for vulnerabilities
# uses: anchore/scan-action@v6
# with:
# sbom: "${{ github.event.repository.name }}-sbom.cdx.json"
# output-format: cyclonedx-json
# output-file: "anchore-grype-sbom.cdx.json"
# fail-build: false
- name: Scan image
uses: anchore/scan-action@v6
with:
image: ${{ env.IMAGE_REFERENCE }}
output-format: cyclonedx-json
output-file: "anchore-grype-sbom.cdx.json"
fail-build: false
- name: Upload SBOM as GitHub Artifact
uses: actions/upload-artifact@v4
with:
name: anchore-grype-sbom
path: "anchore-grype-sbom.cdx.json"
retention-days: 20
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "anchore-grype-sbom.cdx.json"
- name: Verify SBOM Analysis Results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; print(package_manager.count()); print(package_manager.vulnerable().count()); print(DiscoveredDependency.objects.count())"