chore: Generate SSDLC report after release (#3383)

oarbusi · Copilot · web-flow · commit e559f7516e03 · 2025-06-06T17:39:16.000+02:00
* generate ssdlc report

* add missing target shell

* fix issues with generation

* Update scripts/gen-ssdlc-report.sh

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* Update .github/workflows/ssdlc-report.yml

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* remove double tab

* fix commit message

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/ssdlc-report.yml b/.github/workflows/ssdlc-report.yml
@@ -0,0 +1,34 @@
+name: Generate SSDLC Compliance Report
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'terraform-provider-mongodbatlas tag version (e.g. 1.42.2)'
+        required: true
+        type: string
+
+jobs:
+  generate-ssdlc-report:
+    uses: ./.github/workflows/run-script-and-commit.yml
+    with:
+      script_call: |
+        if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
+          TAG="${{ github.event.inputs.tag }}"
+          VERSION="${TAG#v}"
+          AUTHOR="${{ github.actor }}"
+        else
+          VERSION="${GITHUB_REF#refs/tags/v}"
+          AUTHOR="${{ github.event.release.author.login }}"
+        fi
+        export AUTHOR VERSION
+        ./scripts/gen-ssdlc-report.sh
+      file_to_commit: 'compliance/v*/ssdlc-compliance-*.md'
+      commit_message: "chore: Update SSDLC report for ${{ github.event.inputs.tag || github.ref }}"
+    secrets:
+      apix_bot_pat: ${{ secrets.APIX_BOT_PAT }}
+      remote: https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
+      gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
+      passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }}
diff --git a/scripts/gen-ssdlc-report.sh b/scripts/gen-ssdlc-report.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+release_date=${DATE:-$(date -u '+%Y-%m-%d')}
+
+export DATE="${release_date}"
+
+if [ -z "${AUTHOR:-}" ]; then
+  AUTHOR=$(git config user.name)
+fi
+
+if [ -z "${VERSION:-}" ]; then
+  VERSION=$(git tag --list 'v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)
+fi
+
+if [ "${AUGMENTED_REPORT:-false}" = "true" ]; then
+  target_dir="."
+  file_name="ssdlc-compliance-${VERSION}-${DATE}.md"
+  SBOM_TEXT="  - See Augmented SBOM manifests (CycloneDX in JSON format):
+      - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json'
+      - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies."
+
+else # If not augmented, generate the standard report
+  target_dir="compliance/v${VERSION}"
+  file_name="ssdlc-compliance-${VERSION}.md"
+  SBOM_TEXT="  - See SBOM Lite manifests (CycloneDX in JSON format):
+      - https://github.com/mongodb/terraform-provider-mongodbatlas/releases/download/terraform-provider-mongodbatlas%2Fv${VERSION}/sbom.json"
+  # Ensure terraform-provider-mongodbatlas version directory exists
+  mkdir -p "${target_dir}"
+fi
+
+export AUTHOR
+export VERSION
+export SBOM_TEXT
+
+echo "Generating SSDLC report for Terraform Provider for MongoDB Atlas version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
+
+envsubst < templates/releases/ssdlc-compliance.template.md \
+  > "${target_dir}/${file_name}"
+
+echo "SSDLC compliance report ready. Files in ${target_dir}/:"
+ls -l "${target_dir}/"
+
+echo "Printing the generated report:"
+cat "${target_dir}/${file_name}"
diff --git a/templates/releases/ssdlc-compliance.template.md b/templates/releases/ssdlc-compliance.template.md
@@ -0,0 +1,29 @@
+SSDLC Compliance Report: Terraform Provider MongoDB Atlas ${VERSION}
+=================================================================
+
+- Release Creator: ${AUTHOR}
+- Created On:       ${DATE}
+
+Overview:
+
+- **Product and Release Name**
+  - Terraform Provider MongoDB Atlas ${VERSION}, ${DATE}.
+
+- **Process Document**
+  - https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities
+
+- **Tool used to track third party vulnerabilities**
+  - [Kondukto](https://arcticglow.kondukto.io/)
+
+- **Dependency Information**
+${SBOM_TEXT}
+
+- **Security Testing Report**
+  - Available as needed from Cloud Security.
+
+- **Security Assessment Report**
+  - Available as needed from Cloud Security.
+
+Assumptions and attestations:
+
+- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.
