diff --git a/.github/workflows/python-security.yml b/.github/workflows/python-security.yml index 0403ee6..1b62e7c 100644 --- a/.github/workflows/python-security.yml +++ b/.github/workflows/python-security.yml @@ -8,6 +8,15 @@ on: default: "" required: false type: string + dependency-track-project-name: + description: Project name for Dependency Track. + required: false + type: string + dependency-track-project-version: + description: Project name for Dependency Track. Typically the default branch unless multiple forks are maintained. + default: main + required: false + type: string publish-reports: description: Publish the generated reports to the Security Operation Center. Defaults to false. default: false @@ -30,6 +39,12 @@ on: defectdojo-token: description: DefectDojo API Token required: false + dependency-track-url: + description: URL to the Dependency Track instance to publish the SBOM to. + required: false + dependency-track-api-key: + description: API key of the Dependency Track instance. + required: false jobs: secrets: @@ -61,3 +76,24 @@ jobs: language: py report-retention-days: ${{ inputs.report-retention-days }} working-directory: ${{ inputs.working-directory }} + + sbom: + name: SBOM + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Setup Python + uses: equisoft-actions/setup-python@v1.0.0 + + - name: Generate SBOM + uses: equisoft-actions/pipenv-sbom@v1.0.0 + with: + dependency-track-api-key: ${{ secrets.dependency-track-api-key }} + dependency-track-url: ${{ secrets.dependency-track-url }} + dependency-track-project-name: ${{ inputs.dependency-track-project-name }} + dependency-track-project-version: ${{ inputs.dependency-track-project-version }} + publish: ${{ inputs.publish-reports }} + report-retention-days: ${{ inputs.report-retention-days }} + working-directory: ${{ inputs.working-directory }}