feat: add SBOM generation and vulnerability scanning steps to CI work… #48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: AIBomGen-cli Go Build | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| go-version: [ '1.25.x', '1.24.x', '1.23.x', '1.22.x', '1.21.x' ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go ${{ matrix.go-version }} | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| check-latest: true | |
| cache: true | |
| cache-dependency-path: | | |
| **/go.sum | |
| **/go.work.sum | |
| - name: Show Go env | |
| run: | | |
| go version | |
| go env GOMODCACHE GOCACHE GOOS GOARCH | |
| - name: Install dependencies | |
| run: go mod tidy | |
| - name: Run tests (no coverage) | |
| if: ${{ matrix.go-version != '1.25.x' }} | |
| run: go test ./... | |
| - name: Run tests (with coverage) | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: go test ./... -coverprofile=coverage.out -covermode=atomic | |
| - name: Upload coverage to Codecov | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.out | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: false | |
| - name: Build | |
| run: go build ./... | |
| - name: Install Syft, Grype and Cosign | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y jq curl | |
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin | |
| curl -sfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o /usr/local/bin/cosign | |
| chmod +x /usr/local/bin/cosign | |
| - name: Generate SBOM (Syft) | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: syft ./AIBoMGen-cli -o cyclonedx-json=sbom-binary.json | |
| - name: Scan SBOM for vulnerabilities (Grype) | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: grype sbom:./sbom-binary.json -o cyclonedx-json=sbom-binary-vulnerabilities.json | |
| - name: Sign SBOM (Keyless) | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: | | |
| cosign sign-blob --yes \ | |
| --oidc-issuer=https://token.actions.githubusercontent.com \ | |
| --bundle=sbom.bundle.json \ | |
| sbom-binary-vulnerabilities.json | |
| - name: Fail if vulnerabilities found | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: | | |
| if [ ! -f sbom-binary-vulnerabilities.json ]; then | |
| echo "vulnerabilities file not found"; exit 1 | |
| fi | |
| count=$(jq '.vulnerabilities | length' sbom-binary-vulnerabilities.json || echo 0) | |
| if [ "$count" -gt 0 ]; then | |
| echo "Found $count vulnerabilities in SBOM"; exit 1 | |
| fi | |
| - name: Upload SBOM artifacts | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-artifacts | |
| path: | | |
| sbom-binary.json | |
| sbom-binary-vulnerabilities.json | |
| sbom.bundle.json |