diff --git a/.github/workflows/c4po-ci.yml b/.github/workflows/c4po-ci.yml index fe89b39..c4c2fca 100644 --- a/.github/workflows/c4po-ci.yml +++ b/.github/workflows/c4po-ci.yml @@ -11,7 +11,8 @@ name: "Security C4PO CI" on: pull_request: - branches: [ "main" ] + # ToDo: Change back to main + branches: [ "test" ] env: diff --git a/.github/workflows/c4po-sbom.yml b/.github/workflows/c4po-sbom.yml new file mode 100644 index 0000000..1402647 --- /dev/null +++ b/.github/workflows/c4po-sbom.yml @@ -0,0 +1,149 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +name: "Supply Chain Security C4PO SBOM Demo" + +on: + pull_request: + branches: [ "main" ] + + +env: + ANGULAR_PATH: security-c4po-angular + API_PATH: security-c4po-api + REPORTING_PATH: security-c4po-reporting + CFG_PATH: security-c4po-cfg + + ANGULAR_CLI_VERSION: 13 + + +jobs: + + angular_job: + name: "Angular SBOM Job" + + runs-on: ubuntu-latest + + steps: + - name: "Check out code" + uses: actions/checkout@v3 + + - name: "Use Node.js 14.x" + uses: actions/setup-node@v1 + with: + node-version: '14.x' + cache: 'npm' + + - name: "Install NPM dependencies" + run: | + cd $ANGULAR_PATH + npm ci + + - name: "Build assets" + run: | + cd $ANGULAR_PATH + npm run build --if-present + + - name: "Run tests" + run: | + cd $ANGULAR_PATH + npm test + + - name: "Generate SBOM" + id: sbom + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: "${{ github.event.repository.name }}-sbom.cyclonedx.json" + # upload-artifact: true + + #- name: Scan SBOM + # uses: anchore/scan-action@v3 + # with: + # sbom: "${{ github.event.repository.name }}-sbom.cyclonedx.json" + # fail_conditions: 'none' + # fail_conditions: 'vulnerability_critical|vulnerability_high|vulnerability_medium|vulnerability_count' + # fail_on_error: false + # fail_on_warning: false + + # Step to run SBOM analysis using Dependency-Check + - name: "Run Dependency-Check SBOM Analysis" + uses: dependency-check/dependency-check-action@v2 + with: + format: 'CycloneDX' # Specify input format as CycloneDX + sbom: '${{ github.event.repository.name }}-sbom.cyclonedx.json' # Specify the location of the CycloneDX SBOM file + + # Optionally, display the analysis report in the GitHub Actions log + - name: Display Analysis Report + run: cat dependency-check-report.html + + # Optionally, upload the analysis report as an artifact + - name: Upload Analysis Report + uses: actions/upload-artifact@v3 + with: + name: angular-analysis-report + path: dependency-check-report.html + + + #- name: "Upload Scanned SBOM as Artifact" + # uses: actions/upload-artifact@v3 + # with: + # name: scanned-sbom + # path: "${{ github.event.repository.name }}-analysed_sbom.cyclonedx.json" + +# shift + cmd + / +# api_job: +# name: "API Job" + +# runs-on: ubuntu-latest + +# steps: +# - name: "Check out code" +# uses: actions/checkout@v3 + +# - name: "Set up JDK 11" +# uses: actions/setup-java@v3 +# with: +# java-version: '11' +# distribution: 'temurin' + +# - name: "Setup Gradle" +# uses: gradle/gradle-build-action@v2 +# with: +# gradle-version: 6.5 + +# - name: "Execute Gradle build" +# run: | +# cd $API_PATH +# ./gradlew clean build -x dependencyCheckAnalyze + +# reporting_job: +# name: "Reporting Job" + +# runs-on: ubuntu-latest + +# steps: +# - name: "Check out code" +# uses: actions/checkout@v3 + +# - name: "Set up JDK 11" +# uses: actions/setup-java@v3 +# with: +# java-version: '11' +# distribution: 'temurin' + +# - name: "Setup Gradle" +# uses: gradle/gradle-build-action@v2 +# with: +# gradle-version: 6.5 + +# - name: "Execute Gradle build" +# run: | +# cd $REPORTING_PATH +# ./gradlew clean build