[CRAVEX] SCA Integrations: OWASP dep-scan #12
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate SBOM with OWASP dep-scan and load into ScanCode.io | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| env: | |
| IMAGE_REFERENCE: "python:3.13.0-slim" | |
| # IMAGE_REFERENCE: "alpine:3.17.0" | |
| jobs: | |
| generate-and-load-sbom: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Prepare writable reports directory | |
| run: mkdir -p reports/ && chmod 777 reports/ | |
| - name: Pull and save the Docker image | |
| run: | | |
| docker pull ${{ env.IMAGE_REFERENCE }} | |
| docker save --output docker-image.tar ${{ env.IMAGE_REFERENCE }} | |
| chmod 644 docker-image.tar | |
| - name: Install OWASP dep-scan | |
| run: | | |
| sudo npm install -g @cyclonedx/cdxgen | |
| pip install owasp-depscan | |
| - name: Generate SBOM with OWASP dep-scan | |
| run: | | |
| depscan \ | |
| --src docker-image.tar \ | |
| --type docker,license \ | |
| --explain \ | |
| --reports-dir reports/ \ | |
| --report-name depscan-sbom.cdx.json | |
| env: | |
| SCAN_DEBUG_MODE: debug | |
| # - name: Generate SBOM with OWASP dep-scan | |
| # run: | | |
| # docker run --rm -v ${{ github.workspace }}:/app \ | |
| # -e SCAN_DEBUG_MODE=debug \ | |
| # ghcr.io/owasp-dep-scan/dep-scan depscan \ | |
| # --src /app/docker-image.tar \ | |
| # --type docker,license \ | |
| # --explain \ | |
| # --reports-dir /app/reports/ \ | |
| # --report-name depscan-sbom.cdx.json | |
| - run: ls -la reports | |
| - name: Upload SBOM as GitHub Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: depscan-sbom | |
| path: reports/ | |
| retention-days: 20 | |
| # - name: Import SBOM into ScanCode.io | |
| # uses: aboutcode-org/scancode-action@main | |
| # with: | |
| # pipelines: "load_sbom" | |
| # inputs-path: "depscan-sbom.cdx.json" | |
| # | |
| # - name: Verify SBOM Analysis Results in ScanCode.io | |
| # shell: bash | |
| # run: | | |
| # scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 340; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0" |