api-management-utils/.github/workflows/sbom.yml at 687e00a626bdbec1c6e7ca1fd69aea341050670f · NHSDigital/api-management-utils · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: SBOM Vulnerability Scanning

on:
  workflow_dispatch:
    inputs:
      environment:
        description: "Run SBOM check"
        required: true
        type: choice
        options:
          - yes
          - no

# env:
#   SYFT_VERSION: "1.27.1"
#   TF_VERSION: "1.12.2"

# jobs:
#   deploy:
#     name: Software Bill of Materials
#     runs-on: ubuntu-latest
#     permissions:
#       actions: read
#       contents: write
#     steps:
#       - name: Checkout
#         uses: actions/checkout@v5

#       - name: Setup Python 3.13
#         uses: actions/setup-python@v5
#         with:
#           python-version: "3.13"

#       - name: Setup Terraform
#         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd

#       - uses: terraform-linters/setup-tflint@ae78205cfffec9e8d93fd2b3115c7e9d3166d4b6
#         name: Setup TFLint

#       - name: Set architecture variable
#         id: os-arch
#         run: |
#           case "${{ runner.arch }}" in
#             X64) ARCH="amd64" ;;
#             ARM64) ARCH="arm64" ;;
#           esac
#           echo "arch=${ARCH}" >> $GITHUB_OUTPUT

#       - name: Download and setup Syft
#         run: |
#           DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz"
#           echo "Downloading: ${DOWNLOAD_URL}"

#           curl -L -o syft.tar.gz "${DOWNLOAD_URL}"
#           tar -xzf syft.tar.gz
#           chmod +x syft

#           # Add to PATH for subsequent steps
#           echo "$(pwd)" >> $GITHUB_PATH

#       - name: Create SBOM
#         run: bash scripts/create-sbom.sh terraform python tflint

#       - name: Convert SBOM JSON to CSV
#         run: |
#           pip install --upgrade pip
#           pip install tabulate
#           REPO_NAME=$(basename $GITHUB_REPOSITORY)
#           python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv

#       - name: Upload SBOM CSV as artifact
#         uses: actions/upload-artifact@v4
#         with:
#           name: sbom-csv
#           path: SBOM_${{ github.event.repository.name }}.csv

#       - name: Install Grype
#         run: |
#           curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

#       - name: Scan SBOM for Vulnerabilities (JSON)
#         run: |
#           grype sbom:sbom.json -o json > grype-report.json


#       - name: Convert Grype JSON to CSV
#         run: |
#           pip install --upgrade pip
#           REPO_NAME=$(basename $GITHUB_REPOSITORY)
#           python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv


#       - name: Upload Vulnerability Report
#         uses: actions/upload-artifact@v4
#         with:
#           name: grype-report
#           path: grype-report-${{ github.event.repository.name }}.csv

#       - name: Generate Package Inventory CSV
#         run: |
#           pip install --upgrade pip
#           REPO_NAME=$(basename $GITHUB_REPOSITORY)
#           python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME

#       - name: Upload Package Inventory CSV
#         uses: actions/upload-artifact@v4
#         with:
#           name: sbom-packages
#           path: sbom-packages-${{ github.event.repository.name }}.csv

jobs:
  sbom:
    runs-on: ubuntu-22.04
    container:
      image: python:3.13-slim

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Poetry and Tools
        run: |
          apt-get update && apt-get install -y curl
          curl -sSL https://install.python-poetry.org | python3 -
          export PATH="$HOME/.local/bin:$PATH"
          pip install cyclonedx-bom grype tabulate

      - name: Install dependencies
        run: |
          export PATH="$HOME/.local/bin:$PATH"
          poetry install

      # Generate SBOM in JSON
      - name: Generate SBOM (CycloneDX)
        run: |
          cyclonedx-py --format json --output sbom.json

      # Convert SBOM JSON to CSV
      - name: Convert SBOM JSON to CSV
        run: |
          python .github/scripts/sbom_json_to_csv.py sbom.json sbom.csv

      - name: Upload SBOM artifacts
        uses: actions/upload-artifact@v4
        with:
          name: sbom-files
          path: |
            sbom.json
            sbom.csv

      # Scan SBOM for vulnerabilities
      - name: Scan SBOM for Vulnerabilities
        run: |
          grype sbom:sbom.json -o json > grype-report.json

      # Convert Grype JSON to CSV
      - name: Convert Grype JSON to CSV
        run: |
          python .github/scripts/grype_json_to_csv.py grype-report.json grype-report.csv

      - name: Upload Vulnerability Report
        uses: actions/upload-artifact@v4
        with:
          name: grype-report
          path: |
            grype-report.json
            grype-report.csv