Generate a test SBOM for alpine:3.17.0 #1729

tdruez · tdruez · commit ddb7b4121d90 · 2025-08-19T19:19:09.000+04:00
Signed-off-by: tdruez &lt;tdruez@nexb.com&gt;
diff --git a/.github/workflows/sca-integration-trivy.yml b/.github/workflows/sca-integration-trivy.yml
@@ -23,35 +23,51 @@ env:
   IMAGE_REFERENCE: "python:3.13.0-slim"
 
 jobs:
-  generate-and-load-sbom:
-    runs-on: ubuntu-24.04
+  generate-sbom:
+    runs-on: ubuntu-latest
     steps:
-      - name: Generate CycloneDX SBOM with Trivy
+      - name: Generate SBOM for Alpine 3.17.0
         uses: aquasecurity/trivy-action@0.32.0
         with:
           scan-type: "image"
-          image-ref: ${{ env.IMAGE_REFERENCE }}
+          image-ref: "alpine:3.17.0"
           format: "cyclonedx"
-          output: "trivy-report.sbom.json"
+          output: "alpine-3.17-sbom.json"
           scanners: "vuln,license"
           version: "latest"
 
-      - name: Upload SBOM as GitHub Artifact
+      - name: Upload the SBOM
         uses: actions/upload-artifact@v4
         with:
-          name: trivy-sbom-report
-          path: "${{ github.workspace }}/trivy-report.sbom.json"
-          retention-days: 20
+          path: alpine-3.17-sbom.json
 
-      - name: Import SBOM into ScanCode.io
-        uses: aboutcode-org/scancode-action@main
-        with:
-          pipelines: "load_sbom"
-          inputs-path: "${{ github.workspace }}/trivy-report.sbom.json"
-          # TODO: Remove before merging
-          scancodeio-repo-branch: "1729-sca-integrations-trivy"
-
-      - name: Verify SBOM Analysis Results in ScanCode.io
-        shell: bash
-        run: |
-          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190"
+#  generate-and-load-sbom:
+#    runs-on: ubuntu-24.04
+#    steps:
+#      - name: Generate CycloneDX SBOM with Trivy
+#        uses: aquasecurity/trivy-action@0.32.0
+#        with:
+#          scan-type: "image"
+#          image-ref: ${{ env.IMAGE_REFERENCE }}
+#          format: "cyclonedx"
+#          output: "trivy-report.sbom.json"
+#          scanners: "vuln,license"
+#          version: "latest"
+#
+#      - name: Upload SBOM as GitHub Artifact
+#        uses: actions/upload-artifact@v4
+#        with:
+#          name: trivy-sbom-report
+#          path: "${{ github.workspace }}/trivy-report.sbom.json"
+#          retention-days: 20
+#
+#      - name: Import SBOM into ScanCode.io
+#        uses: aboutcode-org/scancode-action@main
+#        with:
+#          pipelines: "load_sbom"
+#          inputs-path: "${{ github.workspace }}/trivy-report.sbom.json"
+#
+#      - name: Verify SBOM Analysis Results in ScanCode.io
+#        shell: bash
+#        run: |
+#          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190"
