CLOUDP-315270: Generate SSDLC report with augmented SBOM on-demand #3

Summary
Jobs
- augment-sbom
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/generate-augmented-sbom.yml at 0536660

	name: Augment SBOM

	on:
	pull_request:
	workflow_dispatch:
	inputs:
	release_version:
	description: "Release version (e.g. 1.42.2)"
	required: true
	type: string

	jobs:
	augment-sbom:
	runs-on: ubuntu-latest

	env:
	KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
	KONDUKTO_REPO: mongodb/mongodb-atlas-cli
	KONDUKTO_BRANCH_PREFIX: atlascli
	ARTIFACTORY_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0

	steps:
	- uses: GitHubSecurityLab/actions-permissions/monitor@v1
	with:
	config: ${{ vars.PERMISSIONS_CONFIG }}
	- name: Checkout repo
	uses: actions/checkout@v4

	- uses: actions/setup-go@v5
	with:
	go-version-file: 'go.mod'

	- name: Download Linux ARM64 binary
	run: \|
	curl -L "https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${{ github.event.inputs.release_version \|\| '1.42.2' }}/mongodb-atlas-cli_${{ github.event.inputs.release_version \|\| '1.42.2' }}_linux_arm64.tar.gz" \
	-o release.tar.gz

	- name: Extract binary
	run: \|
	tar -xzf release.tar.gz

	- name: Generate PURLs from binary
	run: \|
	go version -m ./mongodb-atlas-cli_${{ github.event.inputs.release_version \|\| '1.42.2' }}_linux_arm64/bin/atlas \| \
	awk '$1 == "dep" \|\| $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' \| \
	LC_ALL=C sort > purls.txt
	cat purls.txt
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v2
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	aws-region: us-east-1

	- name: Login to AWS ECR
	run: \|
	aws ecr get-login-password --region us-east-1 \| \
	docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com

	- name: Generate SBOM with Silkbomb
	run: \|
	docker run --rm \
	-v "${PWD}:/pwd" \
	"${ARTIFACTORY_IMAGE}" \
	update \
	--purls "/pwd/purls.txt" \
	--sbom-out "/pwd/sbom_lite.json"
	cat "sbom_lite.json"

	- name: Augment SBOM with Kondukto
	run: \|
	arch="arm64"
	kondukto_branch="${KONDUKTO_BRANCH_PREFIX}-linux-${arch}"
	docker run --platform="linux/amd64" -it --rm -v "${PWD}:/pwd" \
	-e "KONDUKTO_TOKEN=${KONDUKTO_TOKEN}" \
	"${ARTIFACTORY_IMAGE}" \
	augment \
	--sbom-in "/pwd/sbom_lite.json" \
	--repo "${KONDUKTO_REPO}" \
	--branch "${kondukto_branch}" \
	--sbom-out "/pwd/aug_sbom.json"

	- name: Upload augmented SBOM as artifact
	uses: actions/upload-artifact@v4
	with:
	name: augmented-sbom
	path: aug_sbom.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CLOUDP-315270: Generate SSDLC report with augmented SBOM on-demand #3

Workflow file

CLOUDP-315270: Generate SSDLC report with augmented SBOM on-demand #3

Uh oh!

Jobs

Run details

Workflow file for this run