From 9de404f4b2eb9b3831a203a26bb0ad7a13bdb5a7 Mon Sep 17 00:00:00 2001
From: Alan Pope <alan@popey.com>
Date: Tue, 30 Jul 2024 10:37:08 +0100
Subject: [PATCH] feat: Add SBOM generation and vulnerability scanning in
 workflows (#39)

* feat: generate container sbom during release

* No need to publish separately, it's automatic

* feat: Add regular vulnerability scanning

* syntax

* specify container file

* vital missing step

* Display grype output in the log in table format
---
 .github/workflows/publish-release.yml |  6 +++++
 .github/workflows/scan-container.yaml | 35 +++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 .github/workflows/scan-container.yaml

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index dd1890b..be7c83a 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -113,5 +113,11 @@ jobs:
             ghcr.io/${{ github.repository }}:${{ env.STREAM_SPROUT_VER }}-alpine
             ghcr.io/${{ github.repository }}:${{ github.sha }}-alpine
           platforms: linux/amd64, linux/arm64
+      - name: "Generate SBOM"
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ github.repository }}:latest-alpine
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
       - name: Logout from Container Registry
         run: docker logout ghcr.io
diff --git a/.github/workflows/scan-container.yaml b/.github/workflows/scan-container.yaml
new file mode 100644
index 0000000..799179b
--- /dev/null
+++ b/.github/workflows/scan-container.yaml
@@ -0,0 +1,35 @@
+name: "Vulnerability 🐞 scan 🔍 container"
+
+on:
+  schedule:
+    - cron: "0 10 * * 2"
+  workflow_dispatch:
+
+jobs:
+  vulnerability-scan:
+    name: "Build and scan"
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: build local container
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Containerfile
+          tags: localbuild/testimage:latest
+          push: false
+          load: true
+
+      - name: Scan image
+        uses: anchore/scan-action@v3
+        with:
+          image: "localbuild/testimage:latest"
+          output-format: table
+
+      - name: Inspect action report
+        run: cat ${{ steps.scan.outputs.table }}
\ No newline at end of file