Skip to content

Commit d608dac

Browse files
authored
Add SBOM quality validation to README and CI/CD pipeline
1 parent e56a03c commit d608dac

1 file changed

Lines changed: 26 additions & 11 deletions

File tree

README.md

Lines changed: 26 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ This template implements comprehensive security measures:
1515
- **🔍 Static Analysis** - CodeQL scanning for vulnerabilities
1616
- **📦 Dependency Protection** - Automated dependency vulnerability checks
1717
- **� License Compliance** - Automated checking of dependency licenses (MIT, Apache-2.0, BSD variants, ISC, CC0-1.0, Unlicense)
18+
- **📋 SBOM Quality Validation** - Automated SBOM quality scoring with minimum 7.0/10 threshold using SBOMQS
1819
- **�🔐 Runner Hardening** - All CI/CD runners are hardened with audit logging
1920
- **📋 Security Policies** - GitHub security advisories and vulnerability reporting
2021
- **🏷️ Pinned Dependencies** - All GitHub Actions pinned to specific SHA hashes
@@ -106,16 +107,16 @@ With the template configured, you can now:
106107

107108
Your repository includes these automated workflows:
108109

109-
| Workflow | Trigger | Purpose |
110-
| ----------------------------- | ---------------- | ----------------------------------------------------------------------- |
111-
| **Setup Repository Labels** | Manual | Creates all required labels for PR categorization |
112-
| **Test and Report** | Push/PR | Runs unit tests, E2E tests, license compliance, and generates coverage |
113-
| **Build, Attest and Release** | Manual/Tag | Creates secure releases with SBOM, license validation, and attestations |
114-
| **CodeQL Analysis** | Push/PR/Schedule | Static code analysis for security vulnerabilities |
115-
| **Dependency Review** | PR | Reviews dependencies for known vulnerabilities |
116-
| **Scorecard Analysis** | Push/Schedule | OSSF supply chain security assessment |
117-
| **ZAP Security Scan** | Manual | Dynamic security testing of deployed app |
118-
| **Lighthouse Performance** | Manual | Performance and accessibility audits |
110+
| Workflow | Trigger | Purpose |
111+
| ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------- |
112+
| **Setup Repository Labels** | Manual | Creates all required labels for PR categorization |
113+
| **Test and Report** | Push/PR | Runs unit tests, E2E tests, license compliance, SBOM quality validation, and generates coverage |
114+
| **Build, Attest and Release** | Manual/Tag | Creates secure releases with SBOM, license validation, and attestations |
115+
| **CodeQL Analysis** | Push/PR/Schedule | Static code analysis for security vulnerabilities |
116+
| **Dependency Review** | PR | Reviews dependencies for known vulnerabilities |
117+
| **Scorecard Analysis** | Push/Schedule | OSSF supply chain security assessment |
118+
| **ZAP Security Scan** | Manual | Dynamic security testing of deployed app |
119+
| **Lighthouse Performance** | Manual | Performance and accessibility audits |
119120

120121
### 🛡️ Security Features Ready to Use
121122

@@ -125,6 +126,7 @@ Once configured, your repository automatically provides:
125126
- **🔍 Static Analysis** - CodeQL scanning for vulnerabilities
126127
- **📦 Dependency Protection** - Automated dependency vulnerability checks
127128
- **� License Compliance** - Automated checking of dependency licenses (MIT, Apache-2.0, BSD variants, ISC, CC0-1.0, Unlicense)
129+
- **📋 SBOM Quality Validation** - Automated SBOM quality scoring with minimum 7.0/10 threshold using SBOMQS
128130
- **�🔐 Runner Hardening** - All CI/CD runners are hardened with audit logging
129131
- **📋 Security Policies** - GitHub security advisories and vulnerability reporting
130132
- **🏷️ Pinned Dependencies** - All GitHub Actions pinned to specific SHA hashes
@@ -376,6 +378,15 @@ export function Game() {
376378
- Prevents dependencies with restrictive or unknown licenses
377379
- Run with: `npm run test:licenses`
378380

381+
### SBOM Quality Validation
382+
383+
- Automated SBOM quality assessment using [SBOMQS](https://github.com/interlynk-io/sbomqs) during CI/CD builds
384+
- Validates SBOM completeness across multiple standards (NTIA-minimum-elements, BSI v1.1/v2.0, Semantic, Quality, Sharing, Structural)
385+
- Enforces minimum quality score of **7.0/10** to ensure high-quality Software Bill of Materials
386+
- Checks for essential components: names, versions, unique IDs, suppliers, licenses, checksums, and dependency relationships
387+
- Blocks builds with insufficient SBOM quality to maintain supply chain transparency
388+
- Provides detailed quality reports with actionable feedback for improvement
389+
379390
### CI/CD Pipeline
380391

381392
```mermaid
@@ -391,7 +402,8 @@ flowchart LR
391402
S1[🛡️ CodeQL Analysis]
392403
S2[📦 Dependency Review]
393404
S3[🏆 OSSF Scorecard]
394-
S4[🔐 Runner Hardening]
405+
S4[� SBOM Quality Check]
406+
S5[�🔐 Runner Hardening]
395407
end
396408
397409
subgraph "📈 Test Coverage"
@@ -416,6 +428,7 @@ flowchart LR
416428
A1 --> S2
417429
A1 --> S3
418430
A1 --> S4
431+
A1 --> S5
419432
420433
A5 --> C1
421434
A5 --> C2
@@ -424,6 +437,7 @@ flowchart LR
424437
S1 --> C5
425438
S2 --> C5
426439
S3 --> C5
440+
S4 --> C5
427441
428442
%% Styling
429443
classDef pipeline fill:#e3f2fd,stroke:#1565c0,stroke-width:2px
@@ -442,6 +456,7 @@ flowchart LR
442456
- **CodeQL Analysis**: Automated vulnerability scanning on push/PR
443457
- **Dependency Review**: Checks for known vulnerabilities in dependencies
444458
- **License Compliance**: Validates all dependencies use approved open-source licenses
459+
- **SBOM Quality Validation**: Automated SBOM quality assessment using SBOMQS with minimum 7.0/10 score requirement
445460
- **OSSF Scorecard**: Supply chain security assessment with public scoring
446461
- **Runner Hardening**: All CI/CD runners use hardened security policies
447462

0 commit comments

Comments
 (0)