66 - ' v*'
77
88permissions :
9+ actions : read
10+ security-events : write
911 contents : write
1012
1113jobs :
@@ -33,14 +35,147 @@ jobs:
3335 env :
3436 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
3537
38+ - name : Add Job Summary
39+ run : |
40+ echo "### 🚀 Release Completed" >> $GITHUB_STEP_SUMMARY
41+ echo "- ✅ GoReleaser successfully published binaries and SBOM" >> $GITHUB_STEP_SUMMARY
42+
43+ generate_sbom :
44+ name : 🔏 Generate SBOM
45+ runs-on : ubuntu-latest
46+ needs : goreleaser
47+
48+ steps :
49+ - name : Checkout Repository
50+ uses : actions/checkout@v4
51+
52+ - name : Setup Go
53+ uses : actions/setup-go@v5
54+ with :
55+ go-version : " 1.21"
56+ check-latest : true
57+
58+ - name : Generate SBOM (CycloneDX)
59+ uses : CycloneDX/gh-gomod-generate-sbom@v2
60+ with :
61+ version : v1
62+ args : mod -licenses -json -output-version 1.6 -output sbom-validator.${{ github.ref_name }}.cdx.json
63+ env :
64+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
65+
66+ - name : Sign SBOM
67+ uses : shiftleftcyber/secure-sbom-action@v1.3.1
68+ with :
69+ sbom_file : sbom-validator.${{ github.ref_name }}.cdx.json
70+ secure_sbom_action : sign
71+ api_key : ${{ secrets.SECURE_SBOM_API_KEY }}
72+ key_id : ${{ secrets.SECURE_SBOM_KEYID }}
73+
74+ - name : Upload SBOM Artifacts
75+ uses : actions/upload-artifact@v4
76+ with :
77+ name : unsigned-sbom
78+ path : sbom-validator.${{ github.ref_name }}.cdx.json
79+ retention-days : 7
80+
81+ - name : Add Job Summary
82+ run : |
83+ echo "### 🔏 SBOM Generated & Signed" >> $GITHUB_STEP_SUMMARY
84+ echo "- ✅ CycloneDX SBOM created" >> $GITHUB_STEP_SUMMARY
85+ echo "- 🔐 Signed with SecureSBOM API" >> $GITHUB_STEP_SUMMARY
86+ echo "- 📦 Uploaded as release asset" >> $GITHUB_STEP_SUMMARY
87+
88+ sign-sbom :
89+ name : Sign SBOM via SecureSBOM
90+ needs : generate_sbom
91+ runs-on : ubuntu-latest
92+
93+ steps :
94+ - name : Checkout Repo
95+ uses : actions/checkout@v4
96+
97+ - name : Download Signed SBOM
98+ uses : actions/download-artifact@v4
99+ with :
100+ name : unsigned-sbom
101+ path : .
102+
103+ - name : Sign SBOM via SecureSBOM
104+ uses : shiftleftcyber/secure-sbom-action@v1.3.1
105+ with :
106+ sbom_file : sbom-validator.${{ github.ref_name }}.cdx.json
107+ secure_sbom_action : sign
108+ api_key : ${{ secrets.SECURE_SBOM_API_KEY }}
109+ key_id : ${{ secrets.SECURE_SBOM_KEYID }}
110+
111+ - name : Upload Signed SBOM
112+ uses : actions/upload-artifact@v4
113+ with :
114+ name : signed-sbom
115+ path : sbom-validator.${{ github.ref_name }}.cdx.signed.json
116+ retention-days : 7
117+
36118 - name : Upload Signed SBOM to Release
37119 uses : softprops/action-gh-release@v2
38120 with :
39- files : |
40- sbom-validator.${{ github.ref_name }}.cdx.signed.json
121+ files : sbom-validator.${{ github.ref_name }}.cdx.signed.json
41122
123+ osv-scan :
124+ name : 🔎 OSV Scan
125+ needs : generate_sbom
126+ runs-on : ubuntu-latest
127+ permissions :
128+ security-events : write
129+ contents : read
130+ actions : read
131+
132+ steps :
133+ - name : Checkout Repo
134+ uses : actions/checkout@v4
135+
136+ - name : Download Signed SBOM
137+ uses : actions/download-artifact@v4
138+ with :
139+ name : unsigned-sbom
140+ path : .
141+
142+ - name : Run OSV Scanner
143+ run : |
144+ docker run --rm -v ${{ github.workspace }}:/opt --workdir /opt ghcr.io/google/osv-scanner:latest \
145+ scan --lockfile sbom-validator.${{ github.ref_name }}.cdx.json \
146+ --format json --output osv-scan-report.json || true
147+
148+ - name : Upload OSV Report
149+ uses : actions/upload-artifact@v4
150+ with :
151+ name : osv-scan-report
152+ path : osv-scan-report.json
153+
154+ - name : Enforce Security Gate
155+ id : enforce-gate
156+ run : |
157+ echo "🔍 Evaluating OSV scan results..."
158+ COUNT=$(jq '[.results[] | select(.severity == "HIGH" or .severity == "CRITICAL")] | length' osv-scan-report.json)
159+ if [ "$COUNT" -gt 0 ]; then
160+ echo "❌ Blocking release - $COUNT high/critical vulnerabilities detected!"
161+ jq '.results[] | select(.severity == "HIGH" or .severity == "CRITICAL") | {package: .package.name, severity: .severity, summary: .summary}' osv-scan-report.json
162+ echo "blocked=true" >> $GITHUB_OUTPUT
163+ exit 1
164+ else
165+ echo "✅ No blocking vulnerabilities found."
166+ echo "blocked=false" >> $GITHUB_OUTPUT
167+ fi
168+
42169 - name : Add Job Summary
170+ if : always()
43171 run : |
44- echo "### 🚀 Release Completed" >> $GITHUB_STEP_SUMMARY
45- echo "- ✅ GoReleaser successfully published binaries and SBOM" >> $GITHUB_STEP_SUMMARY
46- echo "- 🔏 Signed SBOM attached to GitHub release" >> $GITHUB_STEP_SUMMARY
172+ echo "### 🔒 OSV Vulnerability Scan Summary" >> $GITHUB_STEP_SUMMARY
173+ echo "- **Scan file:** \`osv-scan-report.json\`" >> $GITHUB_STEP_SUMMARY
174+ if [[ '${{ steps.enforce-gate.outputs.blocked }}' == 'true' ]]; then
175+ echo "- ❌ **High/Critical vulnerabilities found — release blocked**" >> $GITHUB_STEP_SUMMARY
176+ else
177+ echo "- ✅ **No blocking vulnerabilities detected — safe to proceed**" >> $GITHUB_STEP_SUMMARY
178+ fi
179+ echo "" >> $GITHUB_STEP_SUMMARY
180+ echo "For full report, download the [osv-scan-report artifact](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})" >> $GITHUB_STEP_SUMMARY
181+
0 commit comments