Adds SBOM to docker images using GitHub workflows (#152)

* Adds SBOM to docker images using GitHub workflows * Removes empty line
eclipse-basyx · Dec 16, 2024 · d3bc9cc · d3bc9cc
1 parent 651c84c
commit d3bc9cc
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 8 deletions.
diff --git a/.github/workflows/docker-prerelease-ui.yml b/.github/workflows/docker-prerelease-ui.yml
@@ -11,6 +11,11 @@ jobs:
   build-and-push-prerelease:
     runs-on: ubuntu-latest
 
+    env:
+      IMAGE_NAME: eclipsebasyx/aas-gui
+      IMAGE_TAG: SNAPSHOT
+      SBOM_FILE: sbom.json
+
     steps:
       # Step 1: Checkout the repository
       - name: Checkout Code
@@ -41,9 +46,25 @@ jobs:
           push: true
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           tags: |
-            eclipsebasyx/aas-gui:SNAPSHOT
+            ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
+
+      # Step 5: Generate SBOM with Syft
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Generate SBOM
+        run: |
+          syft ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} -o json > ${{ env.SBOM_FILE }}
+
+      # Step 6: Upload SBOM as an Artifact
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v3
+        with:
+          name: sbom
+          path: ${{ env.SBOM_FILE }}
 
-      # Step 5: Verify the Push
+      # Step 7: Verify the Push
       - name: Verify Docker Image
         run: |
-          docker pull eclipsebasyx/aas-gui:SNAPSHOT
+          docker pull ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
diff --git a/.github/workflows/docker-release-ui.yml b/.github/workflows/docker-release-ui.yml
@@ -8,6 +8,10 @@ jobs:
   build-and-push-release:
     runs-on: ubuntu-latest
 
+    env:
+      IMAGE_NAME: eclipsebasyx/aas-gui
+      SBOM_FILE: sbom.json
+
     steps:
       # Step 1: Checkout the repository
       - name: Checkout Code
@@ -46,11 +50,27 @@ jobs:
           push: true
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           tags: |
-            eclipsebasyx/aas-gui:${{ env.TAG_NAME }}
-            eclipsebasyx/aas-gui:latest
+            ${{ env.IMAGE_NAME }}:${{ env.TAG_NAME }}
+            ${{ env.IMAGE_NAME }}:latest
+      
+      # Step 6: Generate SBOM with Syft
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Generate SBOM
+        run: |
+          syft ${{ env.IMAGE_NAME }}:${{ env.TAG_NAME }} -o json > ${{ env.SBOM_FILE }}
+
+      # Step 7: Upload SBOM as an Artifact
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v3
+        with:
+          name: sbom
+          path: ${{ env.SBOM_FILE }}
 
-      # Step 6: Verify the Push
+      # Step 8: Verify the Push
       - name: Verify Docker Images
         run: |
-          docker pull eclipsebasyx/aas-gui:${{ env.TAG_NAME }}
-          docker pull eclipsebasyx/aas-gui:latest
+          docker pull ${{ env.IMAGE_NAME }}:${{ env.TAG_NAME }}
+          docker pull ${{ env.IMAGE_NAME }}:latest