feat: add sboms and vuln scanning (#157)

Author: JonZeolla

.github/workflows/commit.yml

@@ -39,7 +39,14 @@ jobs:
           path: ~/.local/share/virtualenvs
           key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
       - name: Install the dependencies
-        run: python -m pip install --upgrade pipenv
+        run: |
+          python -m pip install --upgrade pipenv
+          mkdir "${RUNNER_TEMP}/bin"
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
+          chmod +x "${RUNNER_TEMP}/bin/syft"
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
+          chmod +x "${RUNNER_TEMP}/bin/grype"
+          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
       - name: Install Task
         uses: arduino/setup-task@v1
       - name: Initialize the repo
@@ -54,6 +61,26 @@ jobs:
         run: task -v test -- debug
         env:
           PLATFORM: ${{ matrix.platform }}
+      - name: Generate the SBOMs
+        run: task -v sbom
+        env:
+          PLATFORM: ${{ matrix.platform }}
+      - name: Upload the SBOMs to GitHub
+        uses: actions/upload-artifact@v3
+        with:
+          name: SBOM
+          path: sbom.*.json
+          if-no-files-found: error
+      - name: Generate vuln scan results
+        run: task -v vulnscan
+        env:
+          PLATFORM: ${{ matrix.platform }}
+      - name: Upload the vuln scan results to GitHub
+        uses: actions/upload-artifact@v3
+        with:
+          name: Vulns
+          path: vulns.*.json
+          if-no-files-found: error
   distribute:
     name: Distribute
     needs: [test]
@@ -65,7 +92,7 @@ jobs:
       - name: Checkout the repository
         uses: actions/checkout@v3
         with:
-          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.SEISO_AUTOMATION_PAT }}
           fetch-depth: 0
       - name: Setup python
         uses: actions/setup-python@v4
@@ -76,7 +103,14 @@ jobs:
           path: ~/.local/share/virtualenvs
           key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
       - name: Install the dependencies
-        run: python -m pip install --upgrade pipenv
+        run: |
+          python -m pip install --upgrade pipenv
+          mkdir "${RUNNER_TEMP}/bin"
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
+          chmod +x "${RUNNER_TEMP}/bin/syft"
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
+          chmod +x "${RUNNER_TEMP}/bin/grype"
+          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
       - name: Install Task
         uses: arduino/setup-task@v1
       - name: Initialize the repo
@@ -97,6 +131,26 @@ jobs:
         run: task -v publish
         env:
           PLATFORM: all
+      - name: Generate the SBOMs
+        run: task -v sbom
+        env:
+          PLATFORM: all
+      - name: Upload the SBOMs to GitHub
+        uses: actions/upload-artifact@v3
+        with:
+          name: SBOM
+          path: sbom.*.json
+          if-no-files-found: error
+      - name: Generate vuln scan results
+        run: task -v vulnscan
+        env:
+          PLATFORM: all
+      - name: Upload the vuln scan results to GitHub
+        uses: actions/upload-artifact@v3
+        with:
+          name: Vulns
+          path: vulns.*.json
+          if-no-files-found: error
       - name: Publish the release README to Docker Hub
         uses: peter-evans/dockerhub-description@v3
         with:
@@ -115,5 +169,9 @@ jobs:
         with:
           name: ${{ env.TAG }}
           tag_name: ${{ env.TAG }}
+          generate_release_notes: true
+          files: |
+            vulns.*.json
+            sbom.*.json
           draft: false
           prerelease: false

.gitignore

@@ -1,6 +1,8 @@
 *.tar
 .ruff_cache
 .task/*
+sbom.*.json
+vulns.*.json
 
 # Created by https://www.toptal.com/developers/gitignore/api/vim,emacs,vs,python,node,macos
 # Edit at https://www.toptal.com/developers/gitignore?templates=vim,emacs,vs,python,node,macos

Task/Taskfile.yml

@@ -80,7 +80,7 @@ tasks:
       - pipenv run pre-commit validate-manifest .pre-commit-hooks.yaml
     status:
       - '! test -f .pre-commit-hooks.yaml'
- 
+
   build:
     desc: Build the project; docker images, compiled binaries, etc.
     platforms: [linux, darwin]
@@ -89,7 +89,7 @@ tasks:
       vars: ['VERSION']
     vars:
       VERSION: '{{.VERSION}}'
-      PLATFORM: '{{.PLATFORM | default .LOCAL_PLATFORM}}'
+      PLATFORM: '{{if eq .PLATFORM "all"}}{{.SUPPORTED_PLATFORMS}}{{else if .PLATFORM}}{{.PLATFORM}}{{else}}{{.LOCAL_PLATFORM}}{{end}}'
       PUBLISH: '{{.PUBLISH | default "false"}}'
       DOCKER_BUILDX_CUSTOM_ARGS: '{{.DOCKER_BUILDX_CUSTOM_ARGS | default ""}}'
       TAG_COMMIT_HASH:
@@ -239,3 +239,45 @@ tasks:
       - find {{.ROOT_DIR}} -type f -name '*.pyc' -delete
       - find {{.ROOT_DIR}} -type d -name '.ruff_cache' -exec rm -rf {} +
       - find {{.ROOT_DIR}} -type d -name '.task' -exec rm -rf {} +
+      - find {{.ROOT_DIR}} -type f -name 'sbom.*.json' -delete
+      - find {{.ROOT_DIR}} -type f -name 'vulns.*.json' -delete
+
+  sbom:
+    desc: Generate project SBOMs
+    dir: ../../..
+    preconditions:
+      - sh: which syft
+        msg: "Syft must be installed and reasonably current"
+    vars:
+      IMAGE_AND_TAG: '{{.IMAGE_NAME}}:{{.VERSION}}'
+      PLATFORM: '{{if eq .PLATFORM "all"}}{{.SUPPORTED_PLATFORMS}}{{else if .PLATFORM}}{{.PLATFORM}}{{else}}{{.LOCAL_PLATFORM}}{{end}}'
+    cmds:
+      - for:
+          var: PLATFORM
+          split: ','
+          as: platform
+        cmd: |
+          export sanitized_platform=$(echo "{{.platform}}" | sed "s%/%_%g")                                               \
+          && syft docker:{{.IMAGE_AND_TAG}} --platform {{.platform}}                                                      \
+                                         -o json=sbom.{{.PROJECT_SLUG}}.{{.VERSION}}.${sanitized_platform}.json           \
+                                         -o spdx-json=sbom.{{.PROJECT_SLUG}}.{{.VERSION}}.${sanitized_platform}.spdx.json \
+                                         -o cyclonedx-json=sbom.{{.PROJECT_SLUG}}.{{.VERSION}}.${sanitized_platform}.cyclonedx.json
+
+  vulnscan:
+    desc: Vuln scan the SBOM
+    dir: ../../..
+    vars:
+      PLATFORM: '{{if eq .PLATFORM "all"}}{{.SUPPORTED_PLATFORMS}}{{else if .PLATFORM}}{{.PLATFORM}}{{else}}{{.LOCAL_PLATFORM}}{{end}}'
+    preconditions:
+      - sh: which grype
+        msg: "Grype must be installed and reasonably current"
+    cmds:
+      - for:
+          var: PLATFORM
+          split: ','
+          as: platform
+        cmd: |
+          export sanitized_platform=$(echo "{{.platform}}" | sed "s%/%_%g")            \
+          && grype sbom:sbom.{{.PROJECT_SLUG}}.{{.VERSION}}.${sanitized_platform}.json \
+               --output json                                                           \
+               --file vulns.{{.PROJECT_SLUG}}.{{.VERSION}}.${sanitized_platform}.json

Task/bash/Taskfile.yml

@@ -72,3 +72,13 @@ tasks:
     desc: Clean up build artifacts, cache files/directories, temp files, etc.
     cmds:
       - task: base:clean
+
+  sbom:
+    desc: Generate project SBOMs
+    cmds:
+      - task: base:sbom
+
+  vulnscan:
+    desc: Vuln scan the SBOM
+    cmds:
+      - task: base:vulnscan

Task/python/Taskfile.yml

@@ -80,3 +80,13 @@ tasks:
       - task: base:clean
       - find {{.ROOT_DIR}} -type d -name 'coverage-reports' -exec rm -rf {} +
       - find {{.ROOT_DIR}} -type f -name '.coverage' -delete
+
+  sbom:
+    desc: Generate project SBOMs
+    cmds:
+      - task: base:sbom
+
+  vulnscan:
+    desc: Vuln scan the SBOM
+    cmds:
+      - task: base:vulnscan

Taskfile.yml

@@ -102,7 +102,7 @@ tasks:
     cmds:
       - task: bash:build
         vars:
-          PLATFORM: '{{if eq .PLATFORM "all"}}{{.SUPPORTED_PLATFORMS}}{{else if .PLATFORM}}{{.PLATFORM}}{{else}}{{.LOCAL_PLATFORM}}{{end}}'
+          PLATFORM: '{{.PLATFORM | default .LOCAL_PLATFORM}}'
 
   test:
     desc: Run the project tests
@@ -149,9 +149,19 @@ tasks:
       # We call into the bash:publish instead of across to build to simplify centralized policy assessments (i.e. "is the project using a goat-provided task?")
       - task: bash:publish
         vars:
-          PLATFORM: '{{if eq .PLATFORM "all"}}{{.SUPPORTED_PLATFORMS}}{{else if .PLATFORM}}{{.PLATFORM}}{{else}}{{.LOCAL_PLATFORM}}{{end}}'
+          PLATFORM: '{{.PLATFORM | default .LOCAL_PLATFORM}}'
 
   update:
     desc: Update the project dev and runtime dependencies, and pre-commit hash
     cmds:
       - task: bash:update
+
+  sbom:
+    desc: Generate project SBOMs
+    cmds:
+      - task: bash:sbom
+
+  vulnscan:
+    desc: Vuln scan the SBOM
+    cmds:
+      - task: bash:vulnscan