MLPAB-2403 - upload sboms (#1399)

.github/workflows/docker_job.yml

@@ -34,15 +34,19 @@ jobs:
       matrix:
         include:
           - ecr_repository: modernising-lpa/app
+            name: app
             path: ./docker/mlpa/Dockerfile
             platforms: linux/amd64
           - ecr_repository: modernising-lpa/create-s3-batch-replication-job
+            name: create-s3-batch-replication-job
             path: ./lambda/create_s3_replication_job/Dockerfile
             platforms: linux/amd64
           - ecr_repository: modernising-lpa/event-received
+            name: event-received
             path: ./docker/event-received/Dockerfile
             platforms: linux/amd64
           - ecr_repository: modernising-lpa/mock-pay
+            name: mock-pay
             path: ./docker/mock-pay/Dockerfile
             platforms: linux/amd64
 
@@ -107,6 +111,21 @@ jobs:
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'
+      - name: Trivy Image SBOM Generator for ${{ matrix.ecr_repository }} and submit results to Dependency Graph
+        id: trivy_sbom
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          image-ref: ${{ matrix.ecr_repository }}:${{ inputs.tag }}
+          format: 'github'
+          output: '${{ matrix.name }}-${{ inputs.tag }}.sbom.json'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload trivy report as a Github artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sbom-report-${{ matrix.name }}-${{ inputs.tag }}
+          path: '${{ github.workspace }}/${{ matrix.name }}-${{ inputs.tag }}.sbom.json'
+          retention-days: 20 # 90 is the default
 
       - name: Push ${{ matrix.ecr_repository }} Image to ECR for PR
         if: ${{ github.workflow != 'Path To Live' }}