@@ -17,20 +17,27 @@ jobs:
1717 generate-and-load-sbom :
1818 runs-on : ubuntu-24.04
1919 steps :
20- - name : Generate CycloneDX SBOM with Anchore Syft
21- uses : anchore/sbom-action@v0
22- with :
23- image : ${{ env.IMAGE_REFERENCE }}
24- format : cyclonedx-json
25- output-file : " ${{ github.event.repository.name }}-sbom.cdx.json"
26- artifact-name : " anchore-sylt-sbom.cdx.json"
27- upload-artifact : true
20+ # - name: Generate CycloneDX SBOM with Anchore Syft
21+ # uses: anchore/sbom-action@v0
22+ # with:
23+ # image: ${{ env.IMAGE_REFERENCE }}
24+ # format: cyclonedx-json
25+ # output-file: "${{ github.event.repository.name }}-sbom.cdx.json"
26+ # artifact-name: "anchore-sylt-sbom.cdx.json"
27+ # upload-artifact: true
28+ #
29+ # - name: Scan SBOM with Grype scanner for vulnerabilities
30+ # uses: anchore/scan-action@v6
31+ # with:
32+ # sbom: "${{ github.event.repository.name }}-sbom.cdx.json"
33+ # output-format: cyclonedx-json
34+ # output-file: "anchore-grype-sbom.cdx.json"
35+ # fail-build: false
2836
29- - name : Scan SBOM with Grype scanner for vulnerabilities
37+ - name : Scan image
3038 uses : anchore/scan-action@v6
3139 with :
32- # sbom: "anchore-sylt-sbom.cdx.json"
33- sbom : " ${{ github.event.repository.name }}-sbom.cdx.json"
40+ image : ${{ env.IMAGE_REFERENCE }}
3441 output-format : cyclonedx-json
3542 output-file : " anchore-grype-sbom.cdx.json"
3643 fail-build : false
4754 with :
4855 pipelines : " load_sbom"
4956 inputs-path : " anchore-grype-sbom.cdx.json"
57+
58+ - name : Verify SBOM Analysis Results in ScanCode.io
59+ shell : bash
60+ run : |
61+ scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; print(package_manager.count()); print(package_manager.vulnerable().count()); print(DiscoveredDependency.objects.count())"
0 commit comments