Merge pull request #21 from githubabcs-devops/feature/updates04

CalinL · web-flow · commit 2c0a30e22b17 · 2025-04-21T10:31:12.000-04:00
Update workflow names for clarity and add new SBOM workflows for Anchore Syft and Microsoft SBOM Tool
diff --git a/.github/workflows/CIS-Anchore-Grype.yml b/.github/workflows/CIS-Anchore-Grype.yml
@@ -1,7 +1,7 @@
 # https://github.com/anchore/grype
 # https://github.com/anchore/scan-action
 
-name: Anchore Grype Vulnerability Scan (Container Image Scanning)
+name: CIS - Anchore Grype Vulnerability Scan (Container Image Scanning)
 
 on:
   push:
diff --git a/.github/workflows/CIS-Trivy-AquaSecurity.yml b/.github/workflows/CIS-Trivy-AquaSecurity.yml
@@ -2,7 +2,7 @@
 # https://github.com/aquasecurity/trivy
 # https://github.com/aquasecurity/trivy-action
 
-name: Trivy Container Image Scanning
+name: CIS - Trivy Container Image Scanning
 
 on:
   push:
diff --git a/.github/workflows/SCA-Anchore-Syft-SBOM.yml b/.github/workflows/SCA-Anchore-Syft-SBOM.yml
@@ -0,0 +1,39 @@
+# https://github.com/anchore/syft
+# https://github.com/anchore/sbom-action
+
+name: CSA - Anchore Syft SBOM Scan
+
+on:
+  push:
+    branches: [main]
+
+env:
+  imageName: "webapp01"
+  tag: ${{ github.sha }}
+
+permissions:
+  contents: read
+  id-token: write # required to upload artifacts
+
+jobs:
+  anchore-syft-Scan:
+    name: Anchore Syft SBOM Scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # required to upload to the Dependency submission API
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build the Docker image
+        run: docker build ./src/webapp01 --file ./src/webapp01/Dockerfile --tag ${{ env.imageName }}:${{ env.tag }}
+
+      - name: Scan the image and upload dependency results
+        uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a
+        with:
+          image: "${{ env.imageName }}:${{ env.tag }}"
+          artifact-name: image.spdx.json
+          dependency-snapshot: true
diff --git a/.github/workflows/SCA-Microsoft-SBOM.yml b/.github/workflows/SCA-Microsoft-SBOM.yml
@@ -0,0 +1,40 @@
+# https://github.com/microsoft/sbom-tool
+
+name: SCA - Microsoft SBOM Tool
+
+on: 
+  workflow_dispatch:
+
+env:
+  SRC_PROJECT_PATH: '/webapp01/webapp01.csproj' 
+  AZURE_WEBAPP_PACKAGE_PATH: './src'            # set this to the path to your web app project, defaults to the repository root
+  DOTNET_VERSION: '9.0.x'                       # set this to the dot net version to use
+
+permissions:
+  contents: read
+  id-token: write # required to upload artifacts
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Setup .NET Core
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: ${{ env.DOTNET_VERSION }} 
+    - name: dotnet build
+      run: |
+        dotnet restore ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}${{ env.SRC_PROJECT_PATH }}
+        dotnet build --configuration Release ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}${{ env.SRC_PROJECT_PATH }} --output buildOutput
+      
+    - name: Generate SBOM
+      run: |
+        curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
+        chmod +x $RUNNER_TEMP/sbom-tool
+        $RUNNER_TEMP/sbom-tool generate -b ./buildOutput -bc . -pn Test -pv 1.0.0 -ps MyCompany -nsb https://sbom.mycompany.com -V Verbose
+
+    - name: Upload a Build Artifact
+      uses: actions/upload-artifact@v4
+      with:
+        path: buildOutput
