@@ -15,6 +15,7 @@ This template implements comprehensive security measures:
1515- ** 🔍 Static Analysis** - CodeQL scanning for vulnerabilities
1616- ** 📦 Dependency Protection** - Automated dependency vulnerability checks
1717- ** � License Compliance** - Automated checking of dependency licenses (MIT, Apache-2.0, BSD variants, ISC, CC0-1.0, Unlicense)
18+ - ** 📋 SBOM Quality Validation** - Automated SBOM quality scoring with minimum 7.0/10 threshold using SBOMQS
1819- ** �🔐 Runner Hardening** - All CI/CD runners are hardened with audit logging
1920- ** 📋 Security Policies** - GitHub security advisories and vulnerability reporting
2021- ** 🏷️ Pinned Dependencies** - All GitHub Actions pinned to specific SHA hashes
@@ -106,16 +107,16 @@ With the template configured, you can now:
106107
107108Your repository includes these automated workflows:
108109
109- | Workflow | Trigger | Purpose |
110- | ----------------------------- | ---------------- | ----------------------------------------------------------------------- |
111- | ** Setup Repository Labels** | Manual | Creates all required labels for PR categorization |
112- | ** Test and Report** | Push/PR | Runs unit tests, E2E tests, license compliance, and generates coverage |
113- | ** Build, Attest and Release** | Manual/Tag | Creates secure releases with SBOM, license validation, and attestations |
114- | ** CodeQL Analysis** | Push/PR/Schedule | Static code analysis for security vulnerabilities |
115- | ** Dependency Review** | PR | Reviews dependencies for known vulnerabilities |
116- | ** Scorecard Analysis** | Push/Schedule | OSSF supply chain security assessment |
117- | ** ZAP Security Scan** | Manual | Dynamic security testing of deployed app |
118- | ** Lighthouse Performance** | Manual | Performance and accessibility audits |
110+ | Workflow | Trigger | Purpose |
111+ | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------- |
112+ | ** Setup Repository Labels** | Manual | Creates all required labels for PR categorization |
113+ | ** Test and Report** | Push/PR | Runs unit tests, E2E tests, license compliance, SBOM quality validation, and generates coverage |
114+ | ** Build, Attest and Release** | Manual/Tag | Creates secure releases with SBOM, license validation, and attestations |
115+ | ** CodeQL Analysis** | Push/PR/Schedule | Static code analysis for security vulnerabilities |
116+ | ** Dependency Review** | PR | Reviews dependencies for known vulnerabilities |
117+ | ** Scorecard Analysis** | Push/Schedule | OSSF supply chain security assessment |
118+ | ** ZAP Security Scan** | Manual | Dynamic security testing of deployed app |
119+ | ** Lighthouse Performance** | Manual | Performance and accessibility audits |
119120
120121### 🛡️ Security Features Ready to Use
121122
@@ -125,6 +126,7 @@ Once configured, your repository automatically provides:
125126- ** 🔍 Static Analysis** - CodeQL scanning for vulnerabilities
126127- ** 📦 Dependency Protection** - Automated dependency vulnerability checks
127128- ** � License Compliance** - Automated checking of dependency licenses (MIT, Apache-2.0, BSD variants, ISC, CC0-1.0, Unlicense)
129+ - ** 📋 SBOM Quality Validation** - Automated SBOM quality scoring with minimum 7.0/10 threshold using SBOMQS
128130- ** �🔐 Runner Hardening** - All CI/CD runners are hardened with audit logging
129131- ** 📋 Security Policies** - GitHub security advisories and vulnerability reporting
130132- ** 🏷️ Pinned Dependencies** - All GitHub Actions pinned to specific SHA hashes
@@ -376,6 +378,15 @@ export function Game() {
376378- Prevents dependencies with restrictive or unknown licenses
377379- Run with: ` npm run test:licenses `
378380
381+ ### SBOM Quality Validation
382+
383+ - Automated SBOM quality assessment using [ SBOMQS] ( https://github.com/interlynk-io/sbomqs ) during CI/CD builds
384+ - Validates SBOM completeness across multiple standards (NTIA-minimum-elements, BSI v1.1/v2.0, Semantic, Quality, Sharing, Structural)
385+ - Enforces minimum quality score of ** 7.0/10** to ensure high-quality Software Bill of Materials
386+ - Checks for essential components: names, versions, unique IDs, suppliers, licenses, checksums, and dependency relationships
387+ - Blocks builds with insufficient SBOM quality to maintain supply chain transparency
388+ - Provides detailed quality reports with actionable feedback for improvement
389+
379390### CI/CD Pipeline
380391
381392``` mermaid
@@ -391,7 +402,8 @@ flowchart LR
391402 S1[🛡️ CodeQL Analysis]
392403 S2[📦 Dependency Review]
393404 S3[🏆 OSSF Scorecard]
394- S4[🔐 Runner Hardening]
405+ S4[� SBOM Quality Check]
406+ S5[�🔐 Runner Hardening]
395407 end
396408
397409 subgraph "📈 Test Coverage"
@@ -416,6 +428,7 @@ flowchart LR
416428 A1 --> S2
417429 A1 --> S3
418430 A1 --> S4
431+ A1 --> S5
419432
420433 A5 --> C1
421434 A5 --> C2
@@ -424,6 +437,7 @@ flowchart LR
424437 S1 --> C5
425438 S2 --> C5
426439 S3 --> C5
440+ S4 --> C5
427441
428442 %% Styling
429443 classDef pipeline fill:#e3f2fd,stroke:#1565c0,stroke-width:2px
@@ -442,6 +456,7 @@ flowchart LR
442456- ** CodeQL Analysis** : Automated vulnerability scanning on push/PR
443457- ** Dependency Review** : Checks for known vulnerabilities in dependencies
444458- ** License Compliance** : Validates all dependencies use approved open-source licenses
459+ - ** SBOM Quality Validation** : Automated SBOM quality assessment using SBOMQS with minimum 7.0/10 score requirement
445460- ** OSSF Scorecard** : Supply chain security assessment with public scoring
446461- ** Runner Hardening** : All CI/CD runners use hardened security policies
447462
0 commit comments