Polished configuration and removed debug step #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: create_and_scan_SBOM | |
| on: | |
| push: | |
| branches: | |
| - main | |
| release: | |
| types: [created] | |
| jobs: | |
| create-sbom: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # The SBOM action generates and SBOM with the given format and automatically | |
| # attaches it to the release, if it was triggered in the context of a release event. | |
| - name: Generate SBOM with Syft | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| path: . | |
| output-file: "${{ github.event.repository.name }}-sbom.cyclonedx.json" | |
| format: "cyclonedx-json" | |
| config: ".github/workflows/config/syft.yml" # config to exclude pnpm-lock.yaml | |
| # Scans the SBOM for vulnerabilities with Grype | |
| - name: Scan SBOM with Grype | |
| id: scan | |
| uses: anchore/scan-action@v5 | |
| with: | |
| fail-build: false | |
| by-cve: true # Prefer using CVE ids over GHSA ids | |
| cache-db: true # Minimize risk of hitting rate limits | |
| sbom: "${{ github.event.repository.name }}-sbom.cyclonedx.json" | |
| # Upload the scan results to GitHub Security tab | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| category: "syft_and_grype" |