Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider expanding heuristics for GitHub Actions workflows #21

Open
bureado opened this issue Jan 3, 2024 · 1 comment
Open

Consider expanding heuristics for GitHub Actions workflows #21

bureado opened this issue Jan 3, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@bureado
Copy link

bureado commented Jan 3, 2024

There are various patterns a workflow maintainer might engage in to create and persist an SBOM. GitHub Code Search could be potentially used to identify some of those:

path:.github AND (("oras push" AND "sbom") OR "cosign attach sbom" OR /uses.*publish-sbom/)

With a positive assertion done via GitHub REST API inspection of release assets or workflow artifacts.

Such a search could be expanded with BuildKit's SBOM attestation patterns:

path:.github spdx.dev/Document OR (docker/build-push-action AND "sbom: ")

With a positive assertion done via index traversal per current attestation storage format.
@jspeed-meyers jspeed-meyers added the enhancement New feature or request label Jan 3, 2024
@jspeed-meyers
Copy link
Collaborator

@bureado: this is a great idea. Nice thinking!

If you or others want to add SBOMs found via this method, I'm glad to merge such a PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bureado @jspeed-meyers