Skip to content

Commit 0993dfe

Browse files
author
Andre Vieira
committed
chore(actions): cyclonedx sbom
1 parent 9206a83 commit 0993dfe

File tree

1 file changed

+6
-33
lines changed

1 file changed

+6
-33
lines changed

.github/workflows/pull-request.yml

Lines changed: 6 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -3,19 +3,17 @@ name: Pull Request
33

44

55
on:
6-
push:
7-
branches:
8-
- renovate/**
96
pull_request:
107
branches:
11-
- main
8+
- master
9+
types:
10+
- ready_for_review
1211

1312

1413

1514
env:
1615
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
1716
SBOM_FILENAME: package-sbom
18-
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
1917

2018

2119

@@ -80,21 +78,8 @@ jobs:
8078
uses: anchore/sbom-action@v0
8179
with:
8280
upload-artifact-retention: 1
83-
format: spdx-json
84-
output-file: ${{ env.SBOM_FILENAME }}.spdx.json
85-
86-
- name: Scan SBOM
87-
id: scan_sbom
88-
uses: anchore/scan-action@v3
89-
with:
90-
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
91-
output-format: sarif
92-
fail-build: false
93-
94-
- name: Determine number of noticiable vulnerabilities
95-
id: count_vulnerabilities
96-
run: |
97-
echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
81+
format: cyclonedx-json
82+
output-file: ${{ env.SBOM_FILENAME }}.cyclonedx.json
9883

9984
- name: Configure AWS credentials
10085
uses: aws-actions/configure-aws-credentials@v4
@@ -104,16 +89,4 @@ jobs:
10489

10590
- name: Copy SBOM to S3
10691
run: |
107-
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
108-
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
109-
110-
- name: Update Notion Page
111-
uses: ydataai/update-notion-page@v1
112-
env:
113-
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
114-
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
115-
with:
116-
notion_secret: ${{ secrets.NOTION_SECRET }}
117-
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
118-
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
119-
notion_page_update_properties: '{ "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
92+
aws s3 cp ${{ env.SBOM_FILENAME }}.cyclonedx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.cyclonedx.json

0 commit comments

Comments
 (0)