-
Notifications
You must be signed in to change notification settings - Fork 25
37 lines (33 loc) · 1.28 KB
/
sbom.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# This workflow retrieves the SBOM for the application being scanned and saves it as an artifact in the pipeline.
# Required secrets (also used by the pipelinescan-*.yml workflows):
# VERACODE_API_ID, VERACODE_API_KEY: API credentials for a Veracode user
# VERACODE_APP_ID: Numeric application ID for the application profile for this project
---
name: SBOM
on:
workflow_dispatch:
release:
jobs:
sbom:
name: setup
runs-on: ubuntu-latest
container:
image: veracode/api-signing:latest
env:
VERACODE_API_KEY_ID: ${{ secrets.VERACODE_API_ID }}
VERACODE_API_KEY_SECRET : ${{ secrets.VERACODE_API_KEY }}
steps:
- name: generate-sbom
run: |
cd /tmp
export LEGACYID=${{ secrets.VERACODE_APP_ID }}
echo LEGACYID: ${LEGACYID}
appguid=$(http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v1/applications?legacy_id=${LEGACYID}" | jq -r '._embedded.applications[0].guid')
echo GUID: ${appguid}
http --auth-type=veracode_hmac GET "https://api.veracode.com/srcclr/sbom/v1/targets/${appguid}/cyclonedx?type=application" > sbom.json
ls -l
- name: save sbom file
uses: actions/upload-artifact@v3
with:
name: sbom
path: /tmp/sbom.json