cerebros-core-algorithm-alpha icon indicating copy to clipboard operation
cerebros-core-algorithm-alpha copied to clipboard
verified publisher icon david-thrower

review-sbom-practices-add-to-cicd-sop

Open david-thrower opened this issue 2 years ago • 4 comments

Kind of issue: Process Change

Review the SBOM and make sure what we are producing meets requirements. Amend CICD SOP as needed.

Suggested Labels (If you don't know, that's ok): triage/hire-consultant kind/secutity-vulnerability

david-thrower avatar Mar 14 '23 16:03 david-thrower

we have created an open-source tool to help you do just this. As simple as sbomqs share <sbom-file> output example https://sbombenchmark.dev/user/score?id=eb4903f6-88df-46bd-adb1-e5ea85cdc88f

https://github.com/interlynk-io/sbomqs

riteshnoronha avatar Mar 16 '23 22:03 riteshnoronha

@riteshnoronha , Thanks for the awesome and practical recommendation. I will prioritize this.

david-thrower avatar Mar 17 '23 06:03 david-thrower

Awesome. Would love any feedback.

riteshnoronha avatar Mar 17 '23 16:03 riteshnoronha

One possibility is:

In .github/workflows/automerge.yaml, append:


# Add a pipeline step

    - name: Run Trivy vulnerability scanner in fs mode
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        scan-ref: '.'
        trivy-config: trivy.yaml
        
 
 # Configure trivy.yaml

david-thrower avatar Mar 26 '23 20:03 david-thrower