55fe558f63
- Fix dependency_update.yml syntax error (uses: after run:) - Restrict scope_guard.py allowlist: ai:impl no longer allows all tools/, ai:qa no longer allows tools/gates/, ai:docs no longer allows specs/ - Fix signing key exposure in release_signing.yml and supply_chain.yml by using env://COSIGN_KEY instead of inline secret interpolation - Fix specify_init.py hyphen normalization bug (multiple consecutive hyphens) - Add explicit permissions blocks to 15 workflows for least-privilege - Add file existence checks and encoding error handling to compose_codex_prompt.py - Fix schops.py: backup_file() error handling, delimiter-aware lib_id matching Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
58 lines
1.8 KiB
YAML
58 lines
1.8 KiB
YAML
name: SBOM Validation
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
sbom:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- name: Générer SBOM CycloneDX
|
|
run: |
|
|
mkdir -p docs
|
|
if command -v cyclonedx-bom >/dev/null 2>&1; then
|
|
cyclonedx-bom -o docs/sbom-cyclonedx.json
|
|
else
|
|
echo '{"status":"skipped","reason":"cyclonedx-bom not installed"}' > docs/sbom-cyclonedx.json
|
|
fi
|
|
- name: Générer SBOM SPDX
|
|
run: |
|
|
mkdir -p docs
|
|
if command -v spdx-sbom-generator >/dev/null 2>&1; then
|
|
spdx-sbom-generator -o docs/sbom-spdx.json
|
|
else
|
|
echo '{"status":"skipped","reason":"spdx-sbom-generator not installed"}' > docs/sbom-spdx.json
|
|
fi
|
|
- name: Valider SBOM (Trivy)
|
|
run: |
|
|
mkdir -p docs
|
|
if command -v trivy >/dev/null 2>&1; then
|
|
trivy sbom docs/sbom-cyclonedx.json --format json --output docs/sbom-trivy-report.json
|
|
else
|
|
echo '{"status":"skipped","reason":"trivy not installed"}' > docs/sbom-trivy-report.json
|
|
fi
|
|
- name: Valider SBOM (Snyk)
|
|
run: |
|
|
mkdir -p docs
|
|
if command -v snyk >/dev/null 2>&1; then
|
|
snyk test --file=docs/sbom-cyclonedx.json --json > docs/sbom-snyk-report.json || true
|
|
else
|
|
echo '{"status":"skipped","reason":"snyk not installed"}' > docs/sbom-snyk-report.json
|
|
fi
|
|
- name: Upload SBOM & reports
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: sbom-validation
|
|
path: |
|
|
docs/sbom-cyclonedx.json
|
|
docs/sbom-spdx.json
|
|
docs/sbom-trivy-report.json
|
|
docs/sbom-snyk-report.json
|