[CRAVEX] SCA Integrations: Trivy #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate SBOM with Trivy and load into ScanCode.io | |
| # This workflow: | |
| # 1. Generates a CycloneDX SBOM for a container image using Trivy. | |
| # 2. Uploads the SBOM as a GitHub artifact for future inspection. | |
| # 3. Loads the SBOM into ScanCode.io for further analysis. | |
| # 4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io. | |
| # | |
| # It runs on demand, and once a week (scheduled). | |
| on: | |
| workflow_dispatch: | |
| # TODO: Remove once working properly, ie before merging. | |
| pull_request: | |
| schedule: | |
| # Run once a week (every 7 days) at 00:00 UTC on Sunday | |
| - cron: "0 0 * * 0" | |
| permissions: | |
| contents: read | |
| env: | |
| IMAGE_REFERENCE: "python:3.13.0-slim" | |
| jobs: | |
| generate-and-load-sbom: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Generate CycloneDX SBOM with Trivy | |
| uses: aquasecurity/trivy-action@0.32.0 | |
| with: | |
| scan-type: "image" | |
| image-ref: ${{ env.IMAGE_REFERENCE }} | |
| format: "cyclonedx" | |
| output: "trivy-report.sbom.json" | |
| scanners: "vuln,license" | |
| version: "latest" | |
| - name: Upload SBOM as GitHub Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-sbom-report | |
| path: "${{ github.workspace }}/trivy-report.sbom.json" | |
| retention-days: 20 | |
| - name: Import SBOM into ScanCode.io | |
| uses: aboutcode-org/scancode-action@main | |
| with: | |
| pipelines: "load_sbom" | |
| inputs-path: "${{ github.workspace }}/trivy-report.sbom.json" | |
| # TODO: Remove before merging | |
| scancodeio-repo-branch: "1729-sca-integrations-trivy" | |
| - name: Verify SBOM Analysis Results in ScanCode.io | |
| shell: bash | |
| run: | | |
| scanpipe shell --command "\ | |
| from scanpipe.models import DiscoveredPackage, DiscoveredDependency; \ | |
| package_manager = DiscoveredPackage.objects; \ | |
| assert package_manager.count() > 90; \ | |
| assert package_manager.vulnerable().count() > 40; \ | |
| assert DiscoveredDependency.objects.count() > 190; \ | |
| " |