diff --git a/.github/workflows/devopsshield-cis-trivy.yml b/.github/workflows/devopsshield-cis-trivy.yml index 6757856..3f8b300 100644 --- a/.github/workflows/devopsshield-cis-trivy.yml +++ b/.github/workflows/devopsshield-cis-trivy.yml @@ -1,4 +1,4 @@ -# Last applied at: Thu, 09 Jan 2025 14:42:09 GMT +# Last applied at: Mon, 20 Jan 2025 03:14:03 GMT # DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. # https://devopsshield.com ############################################################## @@ -20,6 +20,7 @@ # Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security. # Trivy is a comprehensive and versatile security scanner. # Trivy has scanners that look for security issues, and targets where it can find those issues. +# Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more. # Read the official documentation to find out more. # For more information: # https://trivy.dev/latest/ @@ -58,7 +59,7 @@ jobs: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@v0.29.0 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' diff --git a/.github/workflows/devopsshield-sca-anchore-syft.yml b/.github/workflows/devopsshield-sca-anchore-syft.yml new file mode 100644 index 0000000..5c53c34 --- /dev/null +++ b/.github/workflows/devopsshield-sca-anchore-syft.yml @@ -0,0 +1,60 @@ +# Last applied at: Mon, 20 Jan 2025 03:14:11 GMT +# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. +# https://devopsshield.com +############################################################## +# This is a DevOps Shield - Application Security - Code Security Template. + +# This workflow template uses actions that are not certified by DevOps Shield. +# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. + +# Use this workflow template for integrating code security into your pipelines and workflows. + +# DevOps Shield Workflow Template Details: +# ------------------------------------------------------------ +# Code: GH_SCA_ANCHORE_SYFT +# Name: Anchore Syft SBOM Scan +# DevSecOpsControls: SCA +# Provider: Anchore +# Categories: Code Scanning, Dockerfile, Dependency Management +# Description: +# Produce Software Bills of Materials based on Anchore's open source Syft tool. +# Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. +# It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security. +# This workflow checks out code, builds an image, performs a container image +# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency submission API. +# Read the official documentation to find out more. +# For more information: +# https://github.com/anchore/syft +# ------------------------------------------------------------ +# Source repository: https://github.com/anchore/sbom-action +############################################################## + +name: Anchore Syft SBOM Scan + +on: + push: + branches: [ main ] + +jobs: + anchore-syft-Scan: + name: Anchore Syft SBOM Scan + + runs-on: ubuntu-latest + + permissions: + contents: write # required to upload to the Dependency submission API + actions: read # to find workflow artifacts when attaching release assets + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@v0 + with: + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json + dependency-snapshot: true