5252 fail_ci_if_error : false
5353
5454 - name : Build
55- run : go build ./...
55+ run : go build ./...
56+ - name : Install Syft, Grype and Cosign
57+ if : ${{ matrix.go-version == '1.25.x' }}
58+ run : |
59+ sudo apt-get update
60+ sudo apt-get install -y jq curl
61+ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
62+ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
63+ curl -sfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o /usr/local/bin/cosign
64+ chmod +x /usr/local/bin/cosign
65+
66+ name : Generate SBOM (Syft)
67+ if : ${{ matrix.go-version == '1.25.x' }}
68+ run : syft ./AIBoMGen-cli -o cyclonedx-json=sbom-binary.json
69+
70+ - name : Scan SBOM for vulnerabilities (Grype)
71+ if : ${{ matrix.go-version == '1.25.x' }}
72+ run : grype sbom:./sbom-binary.json -o cyclonedx-json=sbom-binary-vulnerabilities.json
73+
74+ - name : Sign SBOM (Keyless)
75+ if : ${{ matrix.go-version == '1.25.x' }}
76+ run : |
77+ cosign sign-blob --yes \
78+ --oidc-issuer=https://token.actions.githubusercontent.com \
79+ --bundle=sbom.bundle.json \
80+ sbom-binary-vulnerabilities.json
81+
82+ name : Fail if vulnerabilities found
83+ if : ${{ matrix.go-version == '1.25.x' }}
84+ run : |
85+ if [ ! -f sbom-binary-vulnerabilities.json ]; then
86+ echo "vulnerabilities file not found"; exit 1
87+ fi
88+ count=$(jq '.vulnerabilities | length' sbom-binary-vulnerabilities.json || echo 0)
89+ if [ "$count" -gt 0 ]; then
90+ echo "Found $count vulnerabilities in SBOM"; exit 1
91+ fi
92+
93+ name : Upload SBOM artifacts
94+ if : ${{ matrix.go-version == '1.25.x' }}
95+ uses : actions/upload-artifact@v4
96+ with :
97+ name : sbom-artifacts
98+ path : |
99+ sbom-binary.json
100+ sbom-binary-vulnerabilities.json
101+ sbom.bundle.json
0 commit comments