🚀 DevOps Shield - DevSecOps Automation - Apply AppSec Configurations

.github/workflows/devopsshield-cis-trivy.yml

@@ -1,4 +1,4 @@
-# Last applied at: Thu, 09 Jan 2025 14:42:09 GMT
+# Last applied at: Mon, 20 Jan 2025 03:14:03 GMT
 # DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.
 # https://devopsshield.com
 ##############################################################
@@ -20,6 +20,7 @@
 # Scan Docker container images for vulnerabilities in OS packages and language dependencies with Trivy from Aqua Security.
 # Trivy is a comprehensive and versatile security scanner. 
 # Trivy has scanners that look for security issues, and targets where it can find those issues.
+# Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more.
 # Read the official documentation to find out more. 
 # For more information: 
 # https://trivy.dev/latest/
@@ -58,7 +59,7 @@ jobs:
         docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+      uses: aquasecurity/trivy-action@v0.29.0
       with:
         image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
         format: 'sarif'

.github/workflows/devopsshield-sca-anchore-syft.yml

@@ -0,0 +1,60 @@
+# Last applied at: Mon, 20 Jan 2025 03:14:11 GMT
+# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.
+# https://devopsshield.com
+##############################################################
+# This is a DevOps Shield - Application Security - Code Security Template. 
+
+# This workflow template uses actions that are not certified by DevOps Shield. 
+# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
+
+# Use this workflow template for integrating code security into your pipelines and workflows.
+
+# DevOps Shield Workflow Template Details:
+# ------------------------------------------------------------
+# Code: GH_SCA_ANCHORE_SYFT
+# Name: Anchore Syft SBOM Scan
+# DevSecOpsControls: SCA
+# Provider: Anchore
+# Categories: Code Scanning, Dockerfile, Dependency Management
+# Description: 
+# Produce Software Bills of Materials based on Anchore's open source Syft tool.
+# Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. 
+# It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.
+# This workflow checks out code, builds an image, performs a container image
+# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency submission API.
+# Read the official documentation to find out more. 
+# For more information: 
+# https://github.com/anchore/syft
+# ------------------------------------------------------------
+# Source repository: https://github.com/anchore/sbom-action
+##############################################################
+
+name: Anchore Syft SBOM Scan
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  anchore-syft-Scan:
+    name: Anchore Syft SBOM Scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # required to upload to the Dependency submission API
+      actions: read # to find workflow artifacts when attaching release assets
+
+    steps:      
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+
+    - name: Scan the image and upload dependency results
+      uses: anchore/sbom-action@v0
+      with:
+        image: "localbuild/testimage:latest"
+        artifact-name: image.spdx.json
+        dependency-snapshot: true