Skip to content

Create SBOM files #216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
j-chmielewski merged 12 commits into from
Sep 26, 2025
Merged

Create SBOM files #216

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
3844a4d
implement sbom workflow
j-chmielewski Sep 25, 2025
c8c48c2
fix asset name
j-chmielewski Sep 25, 2025
67c553e
spdx format
j-chmielewski Sep 25, 2025
0766030
depend on build-docker-release instead of prerelease
j-chmielewski Sep 25, 2025
cbb8ca5
test self-hosted runner
j-chmielewski Sep 25, 2025
5aeb929
uncomment build steps
j-chmielewski Sep 25, 2025
876ddb1
test on prerelease
j-chmielewski Sep 25, 2025
c60468b
use aws docker image to avoid limits
j-chmielewski Sep 25, 2025
ae6ed3b
uncomment binary builds
j-chmielewski Sep 26, 2025
3872814
use shogo82148/actions-upload-release-asset upload action
j-chmielewski Sep 26, 2025
0e19819
fix trivy action version
j-chmielewski Sep 26, 2025
df49d1c
uncomment binary build
j-chmielewski Sep 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,12 @@ jobs:
draft: true
generate_release_notes: true

create-sbom:
needs: [create-release, build-docker-release]
uses: ./.github/workflows/sbom.yml
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}

build-release:
name: Release ${{ matrix.build }}
needs: [create-release]
Expand Down
54 changes: 54 additions & 0 deletions .github/workflows/sbom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Create SBOM files

on:
workflow_call:
inputs:
upload_url:
description: "Release assets upload URL"
required: true
type: string

jobs:
create-sbom:
runs-on: self-hosted

steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive

# Store the version, stripping any v-prefix
- name: Write release version
run: |
VERSION=${GITHUB_REF_NAME#v}
echo Version: $VERSION
echo "VERSION=$VERSION" >> $GITHUB_ENV

- name: Create SBOM with Trivy
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
format: 'spdx-json'
output: "defguard-gateway-${{ env.VERSION }}.sbom.json"
scan-ref: '.'
severity: "CRITICAL,HIGH,MEDIUM"

- name: Create docker image SBOM with Trivy
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: "ghcr.io/defguard/gateway:${{ env.VERSION }}"
scan-type: 'image'
format: 'spdx-json'
output: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json"
severity: "CRITICAL,HIGH,MEDIUM"
scanners: "vuln"

- name: Upload SBOM
uses: shogo82148/actions-upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ inputs.upload_url }}
asset_path: "defguard-*.sbom.json"
asset_content_type: application/octet-stream
4 changes: 2 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
FROM rust:1-slim AS builder
FROM public.ecr.aws/docker/library/rust:1-slim AS builder

RUN apt-get update && apt-get -y install protobuf-compiler libnftnl-dev libmnl-dev
WORKDIR /app
COPY . .
RUN cargo build --release

FROM debian:13-slim
FROM public.ecr.aws/docker/library/debian:13-slim
RUN apt-get update && apt-get -y --no-install-recommends install \
iproute2 wireguard-tools sudo ca-certificates iptables ebtables nftables && \
apt-get clean && rm -rf /var/lib/apt/lists/*
Expand Down