diff --git a/.github/workflows/CIS-Anchore-Grype.yml b/.github/workflows/CIS-Anchore-Grype.yml index 19b0afd..ca11356 100644 --- a/.github/workflows/CIS-Anchore-Grype.yml +++ b/.github/workflows/CIS-Anchore-Grype.yml @@ -1,7 +1,7 @@ # https://github.com/anchore/grype # https://github.com/anchore/scan-action -name: Anchore Grype Vulnerability Scan (Container Image Scanning) +name: CIS - Anchore Grype Vulnerability Scan (Container Image Scanning) on: push: diff --git a/.github/workflows/CIS-Trivy-AquaSecurity.yml b/.github/workflows/CIS-Trivy-AquaSecurity.yml index 8fcfe84..05dc34e 100644 --- a/.github/workflows/CIS-Trivy-AquaSecurity.yml +++ b/.github/workflows/CIS-Trivy-AquaSecurity.yml @@ -2,7 +2,7 @@ # https://github.com/aquasecurity/trivy # https://github.com/aquasecurity/trivy-action -name: Trivy Container Image Scanning +name: CIS - Trivy Container Image Scanning on: push: diff --git a/.github/workflows/SCA-Anchore-Syft-SBOM.yml b/.github/workflows/SCA-Anchore-Syft-SBOM.yml new file mode 100644 index 0000000..dc2d548 --- /dev/null +++ b/.github/workflows/SCA-Anchore-Syft-SBOM.yml @@ -0,0 +1,39 @@ +# https://github.com/anchore/syft +# https://github.com/anchore/sbom-action + +name: CSA - Anchore Syft SBOM Scan + +on: + push: + branches: [main] + +env: + imageName: "webapp01" + tag: ${{ github.sha }} + +permissions: + contents: read + id-token: write # required to upload artifacts + +jobs: + anchore-syft-Scan: + name: Anchore Syft SBOM Scan + + runs-on: ubuntu-latest + + permissions: + contents: write # required to upload to the Dependency submission API + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build the Docker image + run: docker build ./src/webapp01 --file ./src/webapp01/Dockerfile --tag ${{ env.imageName }}:${{ env.tag }} + + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a + with: + image: "${{ env.imageName }}:${{ env.tag }}" + artifact-name: image.spdx.json + dependency-snapshot: true diff --git a/.github/workflows/SCA-Microsoft-SBOM.yml b/.github/workflows/SCA-Microsoft-SBOM.yml new file mode 100644 index 0000000..45128a2 --- /dev/null +++ b/.github/workflows/SCA-Microsoft-SBOM.yml @@ -0,0 +1,40 @@ +# https://github.com/microsoft/sbom-tool + +name: SCA - Microsoft SBOM Tool + +on: + workflow_dispatch: + +env: + SRC_PROJECT_PATH: '/webapp01/webapp01.csproj' + AZURE_WEBAPP_PACKAGE_PATH: './src' # set this to the path to your web app project, defaults to the repository root + DOTNET_VERSION: '9.0.x' # set this to the dot net version to use + +permissions: + contents: read + id-token: write # required to upload artifacts + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Setup .NET Core + uses: actions/setup-dotnet@v4 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + - name: dotnet build + run: | + dotnet restore ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}${{ env.SRC_PROJECT_PATH }} + dotnet build --configuration Release ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}${{ env.SRC_PROJECT_PATH }} --output buildOutput + + - name: Generate SBOM + run: | + curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 + chmod +x $RUNNER_TEMP/sbom-tool + $RUNNER_TEMP/sbom-tool generate -b ./buildOutput -bc . -pn Test -pv 1.0.0 -ps MyCompany -nsb https://sbom.mycompany.com -V Verbose + + - name: Upload a Build Artifact + uses: actions/upload-artifact@v4 + with: + path: buildOutput \ No newline at end of file