From e9a36e4088f70c9527e6166b1e18b798d53cc66d Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Fri, 19 Sep 2025 14:06:50 +0200
Subject: [PATCH 1/5] Fixes pentest issue DG25-29 from 2025-09-02 (#212)

* bump defguard-wireguard-rs dependency to v0.7.7
* cargo update
---
 Cargo.lock | 126 +++++++++++++++++++++++++++++++----------------------
 Cargo.toml |   2 +-
 2 files changed, 74 insertions(+), 54 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 51c5e6cd..3645f27d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -200,9 +200,9 @@ checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
 
 [[package]]
 name = "cc"
-version = "1.2.36"
+version = "1.2.38"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5252b3d2648e5eedbc1a6f501e3c795e07025c1e93bbf8bbdd6eef7f447a6d54"
+checksum = "80f41ae168f955c12fb8960b057d70d0ca153fb83182b57d86380443527be7e9"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -415,9 +415,9 @@ dependencies = [
 
 [[package]]
 name = "defguard_wireguard_rs"
-version = "0.7.6"
+version = "0.7.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "093cede63322e14eede3916a6a5de2518788f438a6cdfc71d262c72d0ae865d0"
+checksum = "480e5be07e155d3fd4ff894a6348bc8eb9a3ddfacb681fc457445ec04135c0c6"
 dependencies = [
  "base64",
  "libc",
@@ -544,9 +544,9 @@ checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
 
 [[package]]
 name = "find-msvc-tools"
-version = "0.1.1"
+version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d"
+checksum = "1ced73b1dacfc750a6db6c0a0c3a3853c8b41997e2e2c563dc90804ae6867959"
 
 [[package]]
 name = "fixedbitset"
@@ -648,7 +648,7 @@ dependencies = [
  "cfg-if",
  "libc",
  "r-efi",
- "wasi 0.14.5+wasi-0.2.4",
+ "wasi 0.14.7+wasi-0.2.4",
 ]
 
 [[package]]
@@ -691,9 +691,9 @@ dependencies = [
 
 [[package]]
 name = "hashbrown"
-version = "0.15.5"
+version = "0.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"
 
 [[package]]
 name = "heck"
@@ -796,9 +796,9 @@ dependencies = [
 
 [[package]]
 name = "hyper-util"
-version = "0.1.16"
+version = "0.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d9b05277c7e8da2c93a568989bb6207bef0112e8d17df7a6eda4a3cf143bc5e"
+checksum = "3c6995591a8f1380fcb4ba966a252a4b29188d51d2b89e3a252f5305be65aea8"
 dependencies = [
  "bytes",
  "futures-channel",
@@ -930,9 +930,9 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.11.1"
+version = "2.11.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "206a8042aec68fa4a62e8d3f7aa4ceb508177d9324faf261e1959e495b7a1921"
+checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
 dependencies = [
  "equivalent",
  "hashbrown",
@@ -1149,11 +1149,11 @@ checksum = "1d87ecb2933e8aeadb3e3a02b828fed80a7528047e68b4f424523a0981a3a084"
 
 [[package]]
 name = "netlink-packet-core"
-version = "0.8.0"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "745d789fe0958caf7252f5e1e900ce5c09b6a5bf05c7bba02a9cc600866ce31e"
+checksum = "3463cbb78394cb0141e2c926b93fc2197e473394b761986eca3b9da2c63ae0f4"
 dependencies = [
- "pastey",
+ "paste",
 ]
 
 [[package]]
@@ -1307,6 +1307,12 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "paste"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
+
 [[package]]
 name = "pastey"
 version = "0.1.1"
@@ -1369,9 +1375,9 @@ checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
 
 [[package]]
 name = "plist"
-version = "1.7.4"
+version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3af6b589e163c5a788fab00ce0c0366f6efbb9959c2f9874b224936af7fce7e1"
+checksum = "740ebea15c5d1428f910cd1a5f52cebf8d25006245ed8ade92702f4943d91e07"
 dependencies = [
  "base64",
  "indexmap",
@@ -1609,9 +1615,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.31"
+version = "0.23.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0ebcbd2f03de0fc1122ad9bb24b127a5a6cd51d72604a3f3c50ac459762b6cc"
+checksum = "cd3c25631629d034ce7cd9940adc9d45762d46de2b0f57193c4443b92c6d4d40"
 dependencies = [
  "log",
  "once_cell",
@@ -1645,9 +1651,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.4"
+version = "0.103.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a17884ae0c1b773f1ccd2bd4a8c72f16da897310a98b0e84bf349ad5ead92fc"
+checksum = "8572f3c2cb9934231157b45499fc41e1f58c589fdfb81a844ba873265e80f8eb"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -1700,27 +1706,38 @@ dependencies = [
 
 [[package]]
 name = "semver"
-version = "1.0.26"
+version = "1.0.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
 dependencies = [
  "serde",
+ "serde_core",
 ]
 
 [[package]]
 name = "serde"
-version = "1.0.219"
+version = "1.0.225"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd6c24dee235d0da097043389623fb913daddf92c76e9f5a1db88607a0bcbd1d"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.225"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
+checksum = "659356f9a0cb1e529b24c01e43ad2bdf520ec4ceaf83047b83ddcc2251f96383"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.219"
+version = "1.0.225"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
+checksum = "0ea936adf78b1f766949a4977b91d2f5595825bd6ec079aa9543ad2685fc4516"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1729,33 +1746,35 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.143"
+version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d401abef1d108fbd9cbaebc3e46611f4b1021f714a0597a71f41ee463f5f4a5a"
+checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
  "itoa",
  "memchr",
  "ryu",
  "serde",
+ "serde_core",
 ]
 
 [[package]]
 name = "serde_path_to_error"
-version = "0.1.17"
+version = "0.1.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "59fab13f937fa393d08645bf3a84bdfe86e296747b506ada67bb15f10f218b2a"
+checksum = "10a9ff822e371bb5403e391ecd83e182e0e77ba7f6fe0160b795797109d1b457"
 dependencies = [
  "itoa",
  "serde",
+ "serde_core",
 ]
 
 [[package]]
 name = "serde_spanned"
-version = "1.0.0"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40734c41988f7306bb04f0ecf60ec0f3f1caa34290e4e8ea471dcd3346483b83"
+checksum = "5417783452c2be558477e104686f7de5dae53dba813c28435e0e70f82d9b04ee"
 dependencies = [
- "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -1918,11 +1937,12 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.43"
+version = "0.3.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83bde6f1ec10e72d583d91623c939f623002284ef622b87de38cfd546cbf2031"
+checksum = "91e7d9e3bb61134e77bde20dd4825b97c010155709965fedf0f49bb138e52a9d"
 dependencies = [
  "deranged",
+ "itoa",
  "libc",
  "num-conv",
  "num_threads",
@@ -1990,9 +2010,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.26.2"
+version = "0.26.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b"
+checksum = "05f63835928ca123f1bef57abbcd23bb2ba0ac9ae1235f1e65bda0d06e7786bd"
 dependencies = [
  "rustls",
  "tokio",
@@ -2024,11 +2044,11 @@ dependencies = [
 
 [[package]]
 name = "toml"
-version = "0.9.5"
+version = "0.9.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75129e1dc5000bfbaa9fee9d1b21f974f9fbad9daec557a521ee6e080825f6e8"
+checksum = "00e5e5d9bf2475ac9d4f0d9edab68cc573dc2fd644b0dba36b0c30a92dd9eaa0"
 dependencies = [
- "serde",
+ "serde_core",
  "serde_spanned",
  "toml_datetime",
  "toml_parser",
@@ -2037,18 +2057,18 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "0.7.0"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bade1c3e902f58d73d3f294cd7f20391c1cb2fbcb643b73566bc773971df91e3"
+checksum = "32f1085dec27c2b6632b04c80b3bb1b4300d6495d1e129693bdda7d91e72eec1"
 dependencies = [
- "serde",
+ "serde_core",
 ]
 
 [[package]]
 name = "toml_parser"
-version = "1.0.2"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b551886f449aa90d4fe2bdaa9f4a2577ad2dde302c61ecf262d80b116db95c10"
+checksum = "4cf893c33be71572e0e9aa6dd15e6677937abd686b066eac3f8cd3531688a627"
 dependencies = [
  "winnow",
 ]
@@ -2333,18 +2353,18 @@ checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
 
 [[package]]
 name = "wasi"
-version = "0.14.5+wasi-0.2.4"
+version = "0.14.7+wasi-0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4494f6290a82f5fe584817a676a34b9d6763e8d9d18204009fb31dceca98fd4"
+checksum = "883478de20367e224c0090af9cf5f9fa85bed63a95c1abf3afc5c083ebc06e8c"
 dependencies = [
  "wasip2",
 ]
 
 [[package]]
 name = "wasip2"
-version = "1.0.0+wasi-0.2.4"
+version = "1.0.1+wasi-0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03fa2761397e5bd52002cd7e73110c71af2109aca4e521a9f40473fe685b0a24"
+checksum = "0562428422c63773dad2c345a1882263bbf4d65cf3f42e90921f787ef5ad58e7"
 dependencies = [
  "wit-bindgen",
 ]
@@ -2534,9 +2554,9 @@ checksum = "21a0236b59786fed61e2a80582dd500fe61f18b5dca67a4a067d0bc9039339cf"
 
 [[package]]
 name = "wit-bindgen"
-version = "0.45.1"
+version = "0.46.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c573471f125075647d03df72e026074b7203790d41351cd6edc96f46bcccd36"
+checksum = "f17a85883d4e6d00e8a97c586de764dabcc06133f7f1d55dce5cdc070ad7fe59"
 
 [[package]]
 name = "writeable"
diff --git a/Cargo.toml b/Cargo.toml
index 967c7a08..6e75519e 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "86
 axum = "0.8"
 base64 = "0.22"
 clap = { version = "4.5", features = ["derive", "env"] }
-defguard_wireguard_rs = "0.7.6"
+defguard_wireguard_rs = "0.7.7"
 env_logger = "0.11"
 gethostname = "1.0"
 ipnetwork = "0.21"

From 82a5f5c933c7aec6fab90719982347ceda5edd7d Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Fri, 26 Sep 2025 10:31:55 +0200
Subject: [PATCH 2/5] Create SBOM files (#216)

* implement sbom workflow

* fix asset name

* spdx format

* depend on build-docker-release instead of prerelease

* test self-hosted runner

* uncomment build steps

* test on prerelease

* use aws docker image to avoid limits

* uncomment binary builds

* use shogo82148/actions-upload-release-asset upload action

* fix trivy action version

* uncomment binary build
---
 .github/workflows/release.yml |  6 ++++
 .github/workflows/sbom.yml    | 54 +++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 .github/workflows/sbom.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c67ab500..efa212c6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -51,6 +51,12 @@ jobs:
           draft: true
           generate_release_notes: true
 
+  create-sbom:
+    needs: [create-release, build-docker-release]
+    uses: ./.github/workflows/sbom.yml
+    with:
+      upload_url: ${{ needs.create-release.outputs.upload_url }}
+
   build-release:
     name: Release ${{ matrix.build }}
     needs: [create-release]
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
new file mode 100644
index 00000000..ecf7b1b6
--- /dev/null
+++ b/.github/workflows/sbom.yml
@@ -0,0 +1,54 @@
+name: Create SBOM files
+
+on:
+  workflow_call:
+    inputs:
+      upload_url:
+        description: "Release assets upload URL"
+        required: true
+        type: string
+
+jobs:
+  create-sbom:
+    runs-on: self-hosted
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      # Store the version, stripping any v-prefix
+      - name: Write release version
+        run: |
+          VERSION=${GITHUB_REF_NAME#v}
+          echo Version: $VERSION
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Create SBOM with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          format: 'spdx-json'
+          output: "defguard-gateway-${{ env.VERSION }}.sbom.json"
+          scan-ref: '.'
+          severity: "CRITICAL,HIGH,MEDIUM"
+
+      - name: Create docker image SBOM with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: "ghcr.io/defguard/gateway:${{ env.VERSION }}"
+          scan-type: 'image'
+          format: 'spdx-json'
+          output: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
+
+      - name: Upload SBOM
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ inputs.upload_url }}
+          asset_path: "defguard-*.sbom.json"
+          asset_content_type: application/octet-stream

From 26bcdc28db038d48b9a3358b09e8c50f3d8403e3 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Fri, 26 Sep 2025 14:11:25 +0200
Subject: [PATCH 3/5] CI: scan code with trivy (#217)

* CI: scan code with trivy

* bump trivy action version

* include low severity vulns in sbom
---
 .github/workflows/build-docker.yml |  2 +-
 .github/workflows/ci.yml           | 10 ++++++++++
 .github/workflows/sbom.yml         |  5 +++--
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 680f516c..f0f95075 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -74,7 +74,7 @@ jobs:
           cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ env.SAFE_REF }}
 
       - name: Scan image with Trivy
-        uses: aquasecurity/trivy-action@0.32.0
+        uses: aquasecurity/trivy-action@0.33.1
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cc9a2889..4d79ae06 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -33,6 +33,16 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Scan code with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          exit-code: "1"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
+
       - name: Cache
         uses: Swatinem/rust-cache@v2
         with:
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index ecf7b1b6..6f0c7b52 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -32,7 +32,8 @@ jobs:
           format: 'spdx-json'
           output: "defguard-gateway-${{ env.VERSION }}.sbom.json"
           scan-ref: '.'
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          scanners: "vuln"
 
       - name: Create docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
@@ -41,7 +42,7 @@ jobs:
           scan-type: 'image'
           format: 'spdx-json'
           output: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json"
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Upload SBOM

From aacbc19915534c15531cf906e0de69283f66205f Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Mon, 29 Sep 2025 15:47:20 +0200
Subject: [PATCH 4/5] Periodic sbom regeneration (#218)

* periodic sbom regeneration test

* regenerate on push to branch

* run on ubuntu-latest

* try to get uploadUrl with "gh api" command

* limit to 3 latest releases

* only published releases

* test periodic sbom generation for latest releases

* add step id

* run sbom generation on linux

* test cron trigger

* test sbom files re-upload

* (re)generate advisories files

* cleanup, last 3 releases

* comments

* only generate sboms and advisories for the latest release
---
 .github/workflows/sbom-regenerate.yml | 36 ++++++++++++++++++
 .github/workflows/sbom.yml            | 54 ++++++++++++++++++++-------
 2 files changed, 77 insertions(+), 13 deletions(-)
 create mode 100644 .github/workflows/sbom-regenerate.yml

diff --git a/.github/workflows/sbom-regenerate.yml b/.github/workflows/sbom-regenerate.yml
new file mode 100644
index 00000000..d6a1bbe1
--- /dev/null
+++ b/.github/workflows/sbom-regenerate.yml
@@ -0,0 +1,36 @@
+name: Periodic SBOM Regeneration
+
+on:
+  schedule:
+    - cron: '30 2 * * *' # 2:30 AM UTC
+
+jobs:
+  list-releases:
+    name: List releases
+    runs-on: ubuntu-latest
+    outputs:
+      releases: ${{ steps.get-releases.outputs.releases }}
+    steps:
+      - name: Get list of releases
+        id: get-releases
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          RELEASES_JSON=$(gh api repos/${{ github.repository }}/releases \
+            --jq '[.[] | select(.draft == false) | {tagName: .tag_name, uploadUrl: .upload_url}][:1]')
+          echo "releases=$RELEASES_JSON" >> $GITHUB_OUTPUT
+
+  regenerate-for-release:
+    name: Regenerate SBOM for release
+    needs: list-releases
+    # Don't run if no releases were found.
+    if: needs.list-releases.outputs.releases != '[]'
+    strategy:
+      fail-fast: false
+      matrix:
+        release: ${{ fromJson(needs.list-releases.outputs.releases) }}
+    uses: ./.github/workflows/sbom.yml
+    with:
+      upload_url: ${{ matrix.release.uploadUrl }}
+      tag: ${{ matrix.release.tagName }}
+    secrets: inherit
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 6f0c7b52..9f2fc8bb 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -7,30 +7,37 @@ on:
         description: "Release assets upload URL"
         required: true
         type: string
+      tag:
+        description: "The git tag to generate SBOM for - used in scheduled runs"
+        required: false
+        type: string
 
 jobs:
   create-sbom:
-    runs-on: self-hosted
+    runs-on: [self-hosted, Linux, X64]
 
     steps:
+      - name: Determine release tag and version
+        id: vars
+        # Uses inputs.tag for scheduled runs, otherwise github.ref_name.
+        run: |
+          TAG_NAME=${{ inputs.tag || github.ref_name }}
+          VERSION=${TAG_NAME#v}
+          echo "TAG_NAME=$TAG_NAME" >> $GITHUB_OUTPUT
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
+          ref: ${{ steps.vars.outputs.TAG_NAME }}
           submodules: recursive
 
-      # Store the version, stripping any v-prefix
-      - name: Write release version
-        run: |
-          VERSION=${GITHUB_REF_NAME#v}
-          echo Version: $VERSION
-          echo "VERSION=$VERSION" >> $GITHUB_ENV
-
       - name: Create SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
         with:
           scan-type: 'fs'
           format: 'spdx-json'
-          output: "defguard-gateway-${{ env.VERSION }}.sbom.json"
+          output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.sbom.json"
           scan-ref: '.'
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
@@ -38,18 +45,39 @@ jobs:
       - name: Create docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
         with:
-          image-ref: "ghcr.io/defguard/gateway:${{ env.VERSION }}"
+          image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'
           format: 'spdx-json'
-          output: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json"
+          output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.sbom.json"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          scanners: "vuln"
+
+      - name: Create security advisory file with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          format: 'json'
+          output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.advisories.json"
+          scan-ref: '.'
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          scanners: "vuln"
+
+      - name: Create docker image security advisory file with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}"
+          scan-type: 'image'
+          format: 'json'
+          output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.advisories.json"
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
-      - name: Upload SBOM
+      - name: Upload SBOMs and advisories
         uses: shogo82148/actions-upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ inputs.upload_url }}
-          asset_path: "defguard-*.sbom.json"
+          asset_path: "defguard-*.json"
           asset_content_type: application/octet-stream
+          overwrite: true

From 509a543d4a66b0caa5001a6dcc69729e7637f38c Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Tue, 30 Sep 2025 09:30:22 +0200
Subject: [PATCH 5/5] only generate sbom for full releases

---
 .github/workflows/sbom-regenerate.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/sbom-regenerate.yml b/.github/workflows/sbom-regenerate.yml
index d6a1bbe1..3e2015c1 100644
--- a/.github/workflows/sbom-regenerate.yml
+++ b/.github/workflows/sbom-regenerate.yml
@@ -17,7 +17,9 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           RELEASES_JSON=$(gh api repos/${{ github.repository }}/releases \
-            --jq '[.[] | select(.draft == false) | {tagName: .tag_name, uploadUrl: .upload_url}][:1]')
+            --jq '[.[]
+                   | select(.draft == false and (.tag_name | test("^v[0-9]+\\.[0-9]+\\.[0-9]+$")))
+                   | {tagName: .tag_name, uploadUrl: .upload_url}][:1]')
           echo "releases=$RELEASES_JSON" >> $GITHUB_OUTPUT
 
   regenerate-for-release: