Skip to content

Commit d81fa85

Browse files
ci: add SBOM generation and CVE scan workflow
1 parent d4360ea commit d81fa85

1 file changed

Lines changed: 46 additions & 0 deletions

File tree

.github/workflows/sbom.yml

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
name: SBOM Generation
2+
3+
on:
4+
push:
5+
branches: [main, dev]
6+
pull_request:
7+
8+
jobs:
9+
sbom:
10+
runs-on: ubuntu-latest
11+
12+
steps:
13+
- name: Checkout
14+
uses: actions/checkout@v4
15+
16+
- name: Set up Python
17+
uses: actions/setup-python@v5
18+
with:
19+
python-version: "3.12"
20+
21+
- name: Install dependencies
22+
run: |
23+
pip install -r requirements.txt --require-hashes
24+
pip install cyclonedx-bom pip-audit
25+
26+
- name: Generate SBOM
27+
run: |
28+
python -m cyclonedx_py environment -o sbom/latest.cdx.json --of JSON
29+
30+
- name: Upload SBOM artifact
31+
uses: actions/upload-artifact@v4
32+
with:
33+
name: trailstax-sbom-${{ github.sha }}
34+
path: sbom/latest.cdx.json
35+
retention-days: 90
36+
37+
- name: CVE Scan
38+
run: |
39+
python -m pip_audit -r requirements.txt --output json -o audit.json
40+
41+
- name: Upload audit artifact
42+
uses: actions/upload-artifact@v4
43+
with:
44+
name: trailstax-audit-${{ github.sha }}
45+
path: audit.json
46+
retention-days: 30

0 commit comments

Comments
 (0)