Add sbom-test workflow

sathiya-nhs · sathiya-nhs · commit 687e00a626bd · 2025-11-25T17:55:56.000Z
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -11,100 +11,158 @@ on:
           - yes
           - no
 
-env:
-  SYFT_VERSION: "1.27.1"
-  TF_VERSION: "1.12.2"
+# env:
+#   SYFT_VERSION: "1.27.1"
+#   TF_VERSION: "1.12.2"
+
+# jobs:
+#   deploy:
+#     name: Software Bill of Materials
+#     runs-on: ubuntu-latest
+#     permissions:
+#       actions: read
+#       contents: write
+#     steps:
+#       - name: Checkout
+#         uses: actions/checkout@v5        
+
+#       - name: Setup Python 3.13
+#         uses: actions/setup-python@v5
+#         with:
+#           python-version: "3.13"
+
+#       - name: Setup Terraform
+#         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+
+#       - uses: terraform-linters/setup-tflint@ae78205cfffec9e8d93fd2b3115c7e9d3166d4b6
+#         name: Setup TFLint
+
+#       - name: Set architecture variable
+#         id: os-arch
+#         run: |
+#           case "${{ runner.arch }}" in
+#             X64) ARCH="amd64" ;;
+#             ARM64) ARCH="arm64" ;;
+#           esac
+#           echo "arch=${ARCH}" >> $GITHUB_OUTPUT
+
+#       - name: Download and setup Syft
+#         run: |
+#           DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz"
+#           echo "Downloading: ${DOWNLOAD_URL}"
+
+#           curl -L -o syft.tar.gz "${DOWNLOAD_URL}"
+#           tar -xzf syft.tar.gz
+#           chmod +x syft
+
+#           # Add to PATH for subsequent steps
+#           echo "$(pwd)" >> $GITHUB_PATH       
+
+#       - name: Create SBOM
+#         run: bash scripts/create-sbom.sh terraform python tflint
+
+#       - name: Convert SBOM JSON to CSV
+#         run: |
+#           pip install --upgrade pip
+#           pip install tabulate  
+#           REPO_NAME=$(basename $GITHUB_REPOSITORY)
+#           python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv
+
+#       - name: Upload SBOM CSV as artifact
+#         uses: actions/upload-artifact@v4
+#         with:
+#           name: sbom-csv
+#           path: SBOM_${{ github.event.repository.name }}.csv
+
+#       - name: Install Grype
+#         run: |
+#           curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+
+#       - name: Scan SBOM for Vulnerabilities (JSON)
+#         run: |
+#           grype sbom:sbom.json -o json > grype-report.json
+          
+      
 
-jobs:
-  deploy:
-    name: Software Bill of Materials
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5        
+#       - name: Convert Grype JSON to CSV
+#         run: |
+#           pip install --upgrade pip
+#           REPO_NAME=$(basename $GITHUB_REPOSITORY)
+#           python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv
 
-      - name: Setup Python 3.13
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.13"
 
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+#       - name: Upload Vulnerability Report
+#         uses: actions/upload-artifact@v4
+#         with:
+#           name: grype-report
+#           path: grype-report-${{ github.event.repository.name }}.csv
 
-      - uses: terraform-linters/setup-tflint@ae78205cfffec9e8d93fd2b3115c7e9d3166d4b6
-        name: Setup TFLint
+#       - name: Generate Package Inventory CSV
+#         run: |
+#           pip install --upgrade pip
+#           REPO_NAME=$(basename $GITHUB_REPOSITORY)
+#           python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME
 
-      - name: Set architecture variable
-        id: os-arch
-        run: |
-          case "${{ runner.arch }}" in
-            X64) ARCH="amd64" ;;
-            ARM64) ARCH="arm64" ;;
-          esac
-          echo "arch=${ARCH}" >> $GITHUB_OUTPUT
+#       - name: Upload Package Inventory CSV
+#         uses: actions/upload-artifact@v4
+#         with:
+#           name: sbom-packages
+#           path: sbom-packages-${{ github.event.repository.name }}.csv
 
-      - name: Download and setup Syft
-        run: |
-          DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz"
-          echo "Downloading: ${DOWNLOAD_URL}"
+jobs:
+  sbom:
+    runs-on: ubuntu-22.04
+    container:
+      image: python:3.13-slim
 
-          curl -L -o syft.tar.gz "${DOWNLOAD_URL}"
-          tar -xzf syft.tar.gz
-          chmod +x syft
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
 
-          # Add to PATH for subsequent steps
-          echo "$(pwd)" >> $GITHUB_PATH       
+      - name: Install Poetry and Tools
+        run: |
+          apt-get update && apt-get install -y curl
+          curl -sSL https://install.python-poetry.org | python3 -
+          export PATH="$HOME/.local/bin:$PATH"
+          pip install cyclonedx-bom grype tabulate
 
-      - name: Create SBOM
-        run: bash scripts/create-sbom.sh terraform python tflint
+      - name: Install dependencies
+        run: |
+          export PATH="$HOME/.local/bin:$PATH"
+          poetry install
 
+      # Generate SBOM in JSON
+      - name: Generate SBOM (CycloneDX)
+        run: |
+          cyclonedx-py --format json --output sbom.json
+
+      # Convert SBOM JSON to CSV
       - name: Convert SBOM JSON to CSV
         run: |
-          pip install --upgrade pip
-          pip install tabulate  
-          REPO_NAME=$(basename $GITHUB_REPOSITORY)
-          python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv
+          python .github/scripts/sbom_json_to_csv.py sbom.json sbom.csv
 
-      - name: Upload SBOM CSV as artifact
+      - name: Upload SBOM artifacts
         uses: actions/upload-artifact@v4
         with:
-          name: sbom-csv
-          path: SBOM_${{ github.event.repository.name }}.csv
-
-      - name: Install Grype
-        run: |
-          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+          name: sbom-files
+          path: |
+            sbom.json
+            sbom.csv
 
-      - name: Scan SBOM for Vulnerabilities (JSON)
+      # Scan SBOM for vulnerabilities
+      - name: Scan SBOM for Vulnerabilities
         run: |
           grype sbom:sbom.json -o json > grype-report.json
-          
-      
 
+      # Convert Grype JSON to CSV
       - name: Convert Grype JSON to CSV
         run: |
-          pip install --upgrade pip
-          REPO_NAME=$(basename $GITHUB_REPOSITORY)
-          python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv
-
+          python .github/scripts/grype_json_to_csv.py grype-report.json grype-report.csv
 
       - name: Upload Vulnerability Report
         uses: actions/upload-artifact@v4
         with:
           name: grype-report
-          path: grype-report-${{ github.event.repository.name }}.csv
-
-      - name: Generate Package Inventory CSV
-        run: |
-          pip install --upgrade pip
-          REPO_NAME=$(basename $GITHUB_REPOSITORY)
-          python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME
-
-      - name: Upload Package Inventory CSV
-        uses: actions/upload-artifact@v4
-        with:
-          name: sbom-packages
-          path: sbom-packages-${{ github.event.repository.name }}.csv
+          path: |
+            grype-report.json
+            grype-report.csv
