Skip to content

Commit

Permalink
MLPAB-2343 - create a self service SBOM generation workflow in GitHub…
Browse files Browse the repository at this point in the history 
… actions (#1390)
  • Loading branch information
@andrewpearce-digital
andrewpearce-digital authored Jul 31, 2024
1 parent 1420523 commit 91880ff
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 11 deletions.
14 changes: 12 additions & 2 deletions .github/workflows/dispatch_export_sbom.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,29 @@ defaults:
shell: bash

jobs:

export_sbom:
name: Export Software Bill of Materials (SBOM) for ${{ inputs.image_tag }}
name: Export Software Bill of Materials (SBOM) for modernising-lpa ${{ inputs.image_tag }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: unfor19/install-aws-cli-action@v1
- name: Configure AWS Credentials
uses: aws-actions/[email protected]
with:
aws-region: eu-west-1
role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-sbom-export
role-duration-seconds: 900
role-session-name: GithubActionsExportSBOM
- name: Request and Download SBO Export for ${{ inputs.image_tag }}
- name: Request and Download SBOM Export for modernising-lpa ${{ inputs.image_tag }}
working-directory: scripts/sbom_exporter
id: export_and_download_sbom
run: |
./export_ecr_image_sbom.sh modernising-lpa ${{ inputs.image_tag }} modernising_lpa_filter_criteria.json
- name: Upload SBOMs as a Github artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: modernising-lpa-sbom-${{ inputs.image_tag }}
path: '${{ github.workspace }}/scripts/sbom_exporter/exports/**/*.json'
retention-days: 20
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,4 @@ multi-reporter-config.json
/coverage/*

scripts/sbom_exporter/exports/*
scripts/sbom_exporter/tmp.*.json
16 changes: 7 additions & 9 deletions scripts/sbom_exporter/export_ecr_image_sbom.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@ echo "Using filter criteria file: $FILTER_CRITERIA_FILE"
jq --arg tag "$IMAGE_TAG" '.ecrImageTags = [{"comparison": "EQUALS", "value": $tag}]' $FILTER_CRITERIA_FILE > tmp.$$.json

# Create a SBOM export
REQUEST=$(aws-vault exec management-operator -- \
aws inspector2 create-sbom-export \
REQUEST=$(aws inspector2 create-sbom-export \
--report-format SPDX_2_3 \
--resource-filter-criteria file://tmp.$$.json \
--s3-destination bucketName=opg-aws-inspector-sbom,keyPrefix=$SERVICE_NAME/$IMAGE_TAG,kmsKeyArn=arn:aws:kms:eu-west-1:311462405659:key/mrk-1899eeb57e6045d1a85310e1edda47c9)
Expand All @@ -34,19 +33,18 @@ echo "SBOM export request id: $REPORT_ID"

# Wait for export to complete
while true; do
RESPONSE=$(aws-vault exec management-operator -- aws inspector2 get-sbom-export --report-id $REPORT_ID)
RESPONSE=$(aws inspector2 get-sbom-export --report-id $REPORT_ID)
STATUS=$(echo $RESPONSE | jq -r '.status')

if [ "$STATUS" != "IN_PROGRESS" ]; then
echo "Final response:"
echo $RESPONSE | jq -C
mkdir -p exports/$IMAGE_TAG
echo "Final status: $STATUS"
mkdir -p exports/$SERVICE_NAME/$IMAGE_TAG
echo "downloading SBOMs from S3..."
aws-vault exec management-operator -- \
aws s3 cp s3://opg-aws-inspector-sbom/$SERVICE_NAME/$IMAGE_TAG/SPDX_2_3_outputs_$REPORT_ID/account=$ACCOUNT_ID/resource=AWS_ECR_CONTAINER_IMAGE/ ./exports/$IMAGE_TAG --recursive
aws s3 cp s3://opg-aws-inspector-sbom/$SERVICE_NAME/$IMAGE_TAG/SPDX_2_3_outputs_$REPORT_ID/account=$ACCOUNT_ID/resource=AWS_ECR_CONTAINER_IMAGE/ ./exports/$SERVICE_NAME/$IMAGE_TAG --recursive
echo "replacing : with - ..."
for f in exports/$SERVICE_NAME/$IMAGE_TAG/*.json; do mv -- "$f" "$(echo "$f" | tr ':' '-')"; done
break
fi

echo "Status is $STATUS. Retrying in 10 seconds..."
sleep 10
done

0 comments on commit 91880ff

Please sign in to comment.