Skip to content

Commit e97cf89

Browse files
rkg-mmmm-psy
andauthored
Generate SBOM for Container & application (#24)
* Generate application SBOM * Generate Container SBOM, extract App SBOM, upload both to artifacts * Exclude SBOM generation from PR runs * Fix wrong solution path --------- Co-authored-by: mm-psy <147830298+mm-psy@users.noreply.github.com>
1 parent 596ade6 commit e97cf89

2 files changed

Lines changed: 42 additions & 0 deletions

File tree

.github/workflows/docker-publish.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,3 +92,33 @@ jobs:
9292
labels: ${{ steps.meta.outputs.labels }}
9393
cache-from: type=gha
9494
cache-to: type=gha,mode=max
95+
96+
# Extract the pure application SBOM from the artifact stage, we want to handle it separately from the container SBOM
97+
# This automaticaly re-uses the previously generated stage from cache, so we get the exact sbom from previous build step
98+
- name: Export Application SBOM from artifact stage
99+
if: ${{ github.event_name != 'pull_request' }}
100+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
101+
with:
102+
context: ${{ env.BUILD_CONTEXT }}
103+
file: ${{ env.DOCKERFILE_PATH }}
104+
target: app-sbom-artifact
105+
push: false
106+
outputs: type=local,dest=sbom-output
107+
108+
# Generate container SBOM.
109+
- name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container
110+
if: ${{ github.event_name != 'pull_request' }}
111+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
112+
with:
113+
scan-type: 'image'
114+
format: 'cyclonedx'
115+
output: 'sbom-output/sbom_container.cyclonedx.json'
116+
image-ref: ${{ steps.meta.outputs.tags }}
117+
skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a seperate SBOM for easier vulnerability management and because trivy misses important fields
118+
119+
- name: Upload trivy/container AND application SBOMs as a Github artifact
120+
if: ${{ github.event_name != 'pull_request' }}
121+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
122+
with:
123+
name: sbom
124+
path: '${{ github.workspace }}/sbom-output/'

source/AAS.TwinEngine.Plugin.RelationalDatabase/Dockerfile

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,22 @@
11
FROM mcr.microsoft.com/dotnet/sdk:8.0@sha256:aa05b91be697b83229cb000b90120f0783604ad74ed92a0b45cdf3d1a9c873de AS build
2+
# Install CycloneDX SBOM Generator Package
3+
RUN dotnet tool install --global CycloneDX --version 5.5.0
4+
ENV PATH="$PATH:/root/.dotnet/tools"
5+
# Build application
26
ARG BUILD_CONFIGURATION=Release
37
WORKDIR /App
48
COPY ["AAS.TwinEngine.Plugin.RelationalDatabase/", "AAS.TwinEngine.Plugin.RelationalDatabase/"]
59
RUN dotnet restore "AAS.TwinEngine.Plugin.RelationalDatabase/AAS.TwinEngine.Plugin.RelationalDatabase.csproj"
610
RUN dotnet publish "AAS.TwinEngine.Plugin.RelationalDatabase/AAS.TwinEngine.Plugin.RelationalDatabase.csproj" -c "$BUILD_CONFIGURATION" -o out
711

12+
# Generate Application SBOM at sbom/bom.xml (omitting dev/test dependencies as they do not appear in final build)
13+
RUN dotnet-CycloneDX "AAS.TwinEngine.Plugin.RelationalDatabase/AAS.TwinEngine.Plugin.RelationalDatabase.csproj" -o "sbom/" --exclude-dev --exclude-test-projects --set-nuget-purl --spec-version 1.6 --disable-package-restore
14+
15+
# Create an "app-sbom-artifact" image which can be use to extract the pure APP SBOM after completing the docker build (we want to keep the SBOM for the application separate from the pure linux image SBOM as this provides more details and simplifies vuln management)
16+
FROM scratch AS app-sbom-artifact
17+
COPY --from=build /App/sbom/bom.xml /sbom_application.cyclonedx.xml
18+
19+
# Create final image containing application
820
FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine@sha256:a0ce42fe86548363a9602c47fc3bd4cf9c35a2705c68cd98d7ce18ae8735b83c
921
USER app
1022
WORKDIR /App

0 commit comments

Comments
 (0)