sbom configuration

koppuravuris · koppuravuris · commit 8fc8c139645d · 2025-09-17T11:33:33.000+01:00
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -0,0 +1,72 @@
+name: SBOM Check
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Run SBOM check"
+        required: true
+        type: choice
+        options:
+          - yes
+          - no
+
+env:
+  SYFT_VERSION: "1.27.1"
+  TF_VERSION: "1.12.2"
+
+jobs:
+  deploy:
+    name: Software Bill of Materials
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5        
+
+      - name: Setup Python 3.13
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      - uses: terraform-linters/setup-tflint@v5
+        name: Setup TFLint
+        with:
+          tflint_version: v0.58.0
+
+      - name: Set architecture variable
+        id: os-arch
+        run: |
+          case "${{ runner.arch }}" in
+            X64) ARCH="amd64" ;;
+            ARM64) ARCH="arm64" ;;
+          esac
+          echo "arch=${ARCH}" >> $GITHUB_OUTPUT
+
+      - name: Download and setup Syft
+        run: |
+          DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz"
+          echo "Downloading: ${DOWNLOAD_URL}"
+
+          curl -L -o syft.tar.gz "${DOWNLOAD_URL}"
+          tar -xzf syft.tar.gz
+          chmod +x syft
+
+          # Add to PATH for subsequent steps
+          echo "$(pwd)" >> $GITHUB_PATH
+
+      - name: Create SBOM
+        run: bash scripts/create-sbom.sh terraform python tflint
+
+      - name: Upload SBOM as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json
diff --git a/scripts/create-sbom.sh b/scripts/create-sbom.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+REPO_ROOT=$(git rev-parse --show-toplevel)
+
+# Generate SBOM for current directory
+syft -o spdx-json . > "$REPO_ROOT/sbom.json"
+
+# Generate and merge SBOMs for each tool passed as argument
+for tool in "$@"; do
+  echo "Creating SBOM for $tool and merging"
+  tool_path=$(command -v "$tool")
+  if [[ -z "$tool_path" ]]; then
+    echo "Warning: '$tool' not found in PATH. Skipping." >&2
+    continue
+  fi
+  syft -q -o spdx-json "$tool_path" | python "$REPO_ROOT/scripts/update-sbom.py"
+done
diff --git a/scripts/update-sbom.py b/scripts/update-sbom.py
@@ -0,0 +1,21 @@
+import json
+import sys
+from pathlib import Path
+
+
+def main() -> None:
+    with Path("sbom.json").open("r") as f:
+        sbom = json.load(f)
+
+    tool = json.loads(sys.stdin.read())
+
+    sbom.setdefault("packages", []).extend(tool.setdefault("packages", []))
+    sbom.setdefault("files", []).extend(tool.setdefault("files", []))
+    sbom.setdefault("relationships", []).extend(tool.setdefault("relationships", []))
+
+    with Path("sbom.json").open("w") as f:
+        json.dump(sbom, f)
+
+
+if __name__ == "__main__":
+    main()
