feat: As a developer I want a pipeline to create a SBOM and analyse i…

…t with through the CSAF

.github/workflows/c4po-ci.yml

@@ -11,7 +11,8 @@ name: "Security C4PO CI"
 
 on:
   pull_request:
-    branches: [ "main" ]
+    # ToDo: Change back to main
+    branches: [ "test" ]
 
 
 env:

.github/workflows/c4po-sbom.yml

@@ -0,0 +1,128 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# GitHub recommends pinning actions to a commit SHA.
+# To get a newer version, you will need to update the SHA.
+# You can also reference a tag or branch, but the action may change without warning.
+
+name: "Supply Chain Security C4PO SBOM Demo"
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+
+env:
+  ANGULAR_PATH: security-c4po-angular
+  API_PATH: security-c4po-api
+  REPORTING_PATH: security-c4po-reporting
+  CFG_PATH: security-c4po-cfg
+
+  ANGULAR_CLI_VERSION: 13
+
+
+jobs:
+
+  angular_job:
+    name: "Angular SBOM Job"
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Check out code"
+        uses: actions/checkout@v3
+
+      - name: "Use Node.js 14.x"
+        uses: actions/setup-node@v1
+        with:
+          node-version: '14.x'
+          cache: 'npm'
+
+      - name: "Install NPM dependencies"
+        run: |
+          cd $ANGULAR_PATH
+          npm ci
+
+      - name: "Build assets"
+        run: |
+          cd $ANGULAR_PATH
+          npm run build --if-present
+
+      - name: "Run tests"
+        run: |
+          cd $ANGULAR_PATH
+          npm test
+
+      - name: "Generate SBOM"
+        id: sbom
+        uses: anchore/sbom-action@v0
+        with:
+          format: cyclonedx-json
+          output-file: "${{ github.event.repository.name }}-sbom.cyclonedx.json"
+          # upload-artifact: true
+
+      - name: Scan SBOM
+        uses: anchore/scan-action@v3
+        with:
+          sbom: "${{ github.event.repository.name }}-sbom.cyclonedx.json"
+          fail-build: false          #fail_conditions: 'vulnerability_critical|vulnerability_high|vulnerability_medium|vulnerability_count'
+          severity-cutoff: critical
+
+      - name: "Upload Scanned SBOM as Artifact"
+        uses: actions/upload-artifact@v3
+        with:
+          name: scanned-sbom
+          path: "${{ github.event.repository.name }}-sbom.cyclonedx.json"
+
+# shift + cmd + /
+#   api_job:
+#     name: "API Job"
+
+#     runs-on: ubuntu-latest
+
+#     steps:
+#       - name: "Check out code"
+#         uses: actions/checkout@v3
+
+#       - name: "Set up JDK 11"
+#         uses: actions/setup-java@v3
+#         with:
+#           java-version: '11'
+#           distribution: 'temurin'
+
+#       - name: "Setup Gradle"
+#         uses: gradle/gradle-build-action@v2
+#         with:
+#           gradle-version: 6.5
+
+#       - name: "Execute Gradle build"
+#         run: |
+#           cd $API_PATH
+#           ./gradlew clean build -x dependencyCheckAnalyze
+
+#   reporting_job:
+#     name: "Reporting Job"
+
+#     runs-on: ubuntu-latest
+
+#     steps:
+#       - name: "Check out code"
+#         uses: actions/checkout@v3
+
+#       - name: "Set up JDK 11"
+#         uses: actions/setup-java@v3
+#         with:
+#           java-version: '11'
+#           distribution: 'temurin'
+
+#       - name: "Setup Gradle"
+#         uses: gradle/gradle-build-action@v2
+#         with:
+#           gradle-version: 6.5
+
+#       - name: "Execute Gradle build"
+#         run: |
+#           cd $REPORTING_PATH
+#           ./gradlew clean build