Files
Clément SAILLANT 55fe558f63 fix: security hardening, CI fixes, and scope guard restrictions
- Fix dependency_update.yml syntax error (uses: after run:)
- Restrict scope_guard.py allowlist: ai:impl no longer allows all tools/,
  ai:qa no longer allows tools/gates/, ai:docs no longer allows specs/
- Fix signing key exposure in release_signing.yml and supply_chain.yml
  by using env://COSIGN_KEY instead of inline secret interpolation
- Fix specify_init.py hyphen normalization bug (multiple consecutive hyphens)
- Add explicit permissions blocks to 15 workflows for least-privilege
- Add file existence checks and encoding error handling to compose_codex_prompt.py
- Fix schops.py: backup_file() error handling, delimiter-aware lib_id matching

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 11:37:18 +01:00

58 lines
1.8 KiB
YAML

name: SBOM Validation
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Générer SBOM CycloneDX
run: |
mkdir -p docs
if command -v cyclonedx-bom >/dev/null 2>&1; then
cyclonedx-bom -o docs/sbom-cyclonedx.json
else
echo '{"status":"skipped","reason":"cyclonedx-bom not installed"}' > docs/sbom-cyclonedx.json
fi
- name: Générer SBOM SPDX
run: |
mkdir -p docs
if command -v spdx-sbom-generator >/dev/null 2>&1; then
spdx-sbom-generator -o docs/sbom-spdx.json
else
echo '{"status":"skipped","reason":"spdx-sbom-generator not installed"}' > docs/sbom-spdx.json
fi
- name: Valider SBOM (Trivy)
run: |
mkdir -p docs
if command -v trivy >/dev/null 2>&1; then
trivy sbom docs/sbom-cyclonedx.json --format json --output docs/sbom-trivy-report.json
else
echo '{"status":"skipped","reason":"trivy not installed"}' > docs/sbom-trivy-report.json
fi
- name: Valider SBOM (Snyk)
run: |
mkdir -p docs
if command -v snyk >/dev/null 2>&1; then
snyk test --file=docs/sbom-cyclonedx.json --json > docs/sbom-snyk-report.json || true
else
echo '{"status":"skipped","reason":"snyk not installed"}' > docs/sbom-snyk-report.json
fi
- name: Upload SBOM & reports
uses: actions/upload-artifact@v4
with:
name: sbom-validation
path: |
docs/sbom-cyclonedx.json
docs/sbom-spdx.json
docs/sbom-trivy-report.json
docs/sbom-snyk-report.json