add SBOM

voxpupuli · Mar 20, 2024 · 1261060 · 1261060
1 parent 1462241
commit 1261060
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -66,6 +66,22 @@ jobs:
           sarif_file: 'trivy-results.sarif'
           matrix: ${{ toJson(matrix) }}
 
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'image'
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          image-ref: 'ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }}'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload trivy report as a Github artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sbom-report
+          path: '${{ github.workspace }}/dependency-results.sbom.json'
+          retention-days: 20 # 90 is the default
+
   tests:
     needs:
       - build_test_container