feat: add sboms and vulnscans (#92)

JonZeolla · web-flow · commit a4604a68d62a · 2023-08-15T11:35:50.000-04:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -69,8 +69,6 @@ jobs:
         run: task -v init
       - name: Validate the repo
         run: task -v validate
-      - name: Set up QEMU for cross-platform emulation
-        uses: docker/setup-qemu-action@v2
       - name: Run the tests
         run: task -v test
   bump-version:
@@ -80,8 +78,6 @@ jobs:
     permissions:
       contents: write
     runs-on: ubuntu-22.04
-    outputs:
-      tag: ${{ steps.bump-version.outputs.tag }}
     steps:
       - name: Checkout the repository
         uses: actions/checkout@v3
@@ -120,5 +116,6 @@ jobs:
         with:
           name: ${{ steps.bump-version.outputs.tag }}
           tag_name: ${{ steps.bump-version.outputs.tag }}
+          generate_release_notes: true
           draft: false
           prerelease: false
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -2,7 +2,7 @@
 name: "Security"
 
 on:
-  - workflow_dispatch
+  workflow_dispatch:
 
 env:
   python_version: "3.11"
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,6 @@
 .task/*
+sbom.*.json
+vulns.*.json
 
 # Created by https://www.toptal.com/developers/gitignore/api/vim,emacs,visualstudiocode,python,macos,windows
 # Edit at https://www.toptal.com/developers/gitignore?templates=vim,emacs,visualstudiocode,python,macos,windows
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -97,6 +97,15 @@ tasks:
 
   release:
     desc: Cut a project release
-    deps: [test]
     cmds:
       - task: py:release
+
+  sbom:
+    desc: Generate project SBOMs
+    cmds:
+      - task: bash:sbom
+
+  vulnscan:
+    desc: Vuln scan the SBOM
+    cmds:
+      - task: bash:vulnscan
diff --git a/goat b/goat
@@ -1 +1 @@
-Subproject commit d14af4e63ad35d475442c535ecbf1b6047310e51
+Subproject commit 2c6d49ad45e15c4b591471f1d32beba8d9f70ea4
diff --git a/tests/test_cookiecutter.py b/tests/test_cookiecutter.py
@@ -7,6 +7,7 @@
 import itertools
 import json
 import os
+import platform as plat
 import re
 import subprocess
 import sys
@@ -18,6 +19,8 @@
 import yaml
 from jinja2 import Template
 
+LOCAL_PLATFORM = f"{plat.system().lower()}/{plat.machine()}"
+
 
 def get_config() -> dict:
     """Generate all the config keys"""
@@ -168,6 +171,7 @@ def test_default_project(cookies):
         # Build and test all supported architectures
         env = os.environ.copy()
         env["PLATFORM"] = "all"
+        # We don't test sbom or vulnscan here because multiplatform builds aren't loaded into the local docker daemon
         subprocess.run(
             ["task", "init", "lint", "validate", "build", "test"],
             capture_output=True,
@@ -187,6 +191,16 @@ def test_default_project(cookies):
                 env=env,
             )
 
+            # This is because only the build for the local platform is loaded into the docker daemon
+            if platform == LOCAL_PLATFORM:
+                subprocess.run(
+                    ["task", "sbom", "vulnscan"],
+                    capture_output=True,
+                    check=True,
+                    cwd=project,
+                    env=env,
+                )
+
         # Do two releases to ensure they work
         for _ in range(2):
             subprocess.run(
diff --git a/{{cookiecutter.project_name|replace(" ", "")}}/.github/workflows/commit.yml b/{{cookiecutter.project_name|replace(" ", "")}}/.github/workflows/commit.yml
@@ -51,7 +51,14 @@ jobs:
             ${{ "{{ runner.os }}" }}-python-${{ "{{ env.python_version }}" }}-pipenv-
             ${{ "{{ runner.os }}" }}-python-
       - name: Install the dependencies
-        run: python -m pip install --upgrade pipenv
+        run: |
+          python -m pip install --upgrade pipenv
+          mkdir "${RUNNER_TEMP}/bin"
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
+          chmod +x "${RUNNER_TEMP}/bin/syft"
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
+          chmod +x "${RUNNER_TEMP}/bin/grype"
+          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
       - name: Install Task
         uses: arduino/setup-task@v1
       - name: Initialize the repo
@@ -68,6 +75,26 @@ jobs:
         run: task -v test
         env:
           PLATFORM: ${{ "{{ matrix.platform }}" }}
+      - name: Generate the SBOMs
+        run: task -v sbom
+        env:
+          PLATFORM: ${{ "{{ matrix.platform }}" }}
+      - name: Upload the SBOMs
+        uses: actions/upload-artifact@v3
+        with:
+          name: SBOM
+          path: sbom.*.json
+          if-no-files-found: error
+      - name: Generate vuln scan results
+        run: task -v vulnscan
+        env:
+          PLATFORM: ${{ "{{ matrix.platform }}" }}
+      - name: Upload the vuln scan results
+        uses: actions/upload-artifact@v3
+        with:
+          name: Vulns
+          path: vulns.*.json
+          if-no-files-found: error
 {%- if cookiecutter.versioning == "CalVer" %}
   bump-version:
     name: Bump version
@@ -109,13 +136,21 @@ jobs:
           BRANCH="$(git branch --show-current)"
           git push --atomic origin "${BRANCH}" "${TAG}"
           echo "tag=${TAG}" >> "${GITHUB_OUTPUT}"
+      - name: Download the SBOMs and Vuln scan results
+        uses: actions/download-artifact@v3
+        with:
+          path: ${{ "{{ runner.temp }}" }}
       - name: Publish the release to GitHub
         uses: softprops/action-gh-release@v1
         env:
           GITHUB_TOKEN: ${{ "{{ secrets.GITHUB_TOKEN }}" }}
         with:
           name: ${{ "{{ steps.bump-version.outputs.tag }}" }}
           tag_name: ${{ "{{ steps.bump-version.outputs.tag }}" }}
+          generate_release_notes: true
+          files: |
+            ${{ "{{ runner.temp }}" }}/Vulns/vulns.*.json
+            ${{ "{{ runner.temp }}" }}/SBOM/sbom.*.json
           draft: false
           prerelease: false
 {%- endif -%}
diff --git a/{{cookiecutter.project_name|replace(" ", "")}}/.github/workflows/release.yml b/{{cookiecutter.project_name|replace(" ", "")}}/.github/workflows/release.yml
@@ -18,6 +18,12 @@ jobs:
   distribute:
     name: Distribute
     runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
     permissions:
       contents: write
     steps:
@@ -42,14 +48,41 @@ jobs:
         uses: arduino/setup-task@v1
       - name: Initialize the repo
         run: task -v init
+      - name: Set up QEMU for cross-platform emulation
+        uses: docker/setup-qemu-action@v2
       - name: Build the image(s)
         run: task -v build
+      - name: Generate the SBOMs
+        run: task -v sbom
+        env:
+          PLATFORM: ${{ "{{ matrix.platform }}" }}
+      - name: Upload the SBOMs
+        uses: actions/upload-artifact@v3
+        with:
+          name: SBOM
+          path: sbom.*.json
+          if-no-files-found: error
+      - name: Generate vuln scan results
+        run: task -v vulnscan
+        env:
+          PLATFORM: ${{ "{{ matrix.platform }}" }}
+      - name: Upload the vuln scan results
+        uses: actions/upload-artifact@v3
+        with:
+          name: Vulns
+          path: vulns.*.json
+          if-no-files-found: error
       - name: Publish the release to GitHub
         uses: softprops/action-gh-release@v1
         env:
           GITHUB_TOKEN: ${{ "{{ secrets.GITHUB_TOKEN }}" }}
         with:
           name: ${{ "{{ env.TAG }}" }}
+          tag_name: ${{ "{{ env.TAG }}" }}
+          generate_release_notes: true
+          files: |
+            vulns.*.json
+            sbom.*.json
           draft: false
           prerelease: false
 {%- if cookiecutter.dockerhub == 'yes' %}
@@ -65,8 +98,6 @@ jobs:
           password: ${{ "{{ secrets.DOCKERHUB_TOKEN }}" }}
           repository: seiso/{{ cookiecutter.project_slug }}
           short-description: {{ cookiecutter.project_short_description }}
-      - name: Set up QEMU for cross-platform emulation
-        uses: docker/setup-qemu-action@v2
       - name: Publish the release to Docker Hub
         run: task -v publish
         env:
diff --git a/{{cookiecutter.project_name|replace(" ", "")}}/.github/workflows/security.yml b/{{cookiecutter.project_name|replace(" ", "")}}/.github/workflows/security.yml
@@ -11,9 +11,8 @@ on:
       - main
   schedule:
     - cron: '{{ range(0, 59) | random }} {{ range(2, 4) | random }} * * *'
-{%- elif cookiecutter.public == 'no' %}
-  - workflow_dispatch
 {%- endif %}
+  workflow_dispatch:
 
 env:
   python_version: "{{ cookiecutter.python_version }}"
diff --git a/{{cookiecutter.project_name|replace(" ", "")}}/.gitignore b/{{cookiecutter.project_name|replace(" ", "")}}/.gitignore
@@ -1,4 +1,6 @@
 .task/*
+sbom.*.json
+vulns.*.json
 
 # Created by https://www.toptal.com/developers/gitignore/api/vim,emacs,visualstudiocode,python,macos,windows
 # Edit at https://www.toptal.com/developers/gitignore?templates=vim,emacs,visualstudiocode,python,macos,windows
diff --git a/{{cookiecutter.project_name|replace(" ", "")}}/Taskfile.yml b/{{cookiecutter.project_name|replace(" ", "")}}/Taskfile.yml
@@ -125,6 +125,16 @@ tasks:
     cmds:
       - task: py:release
 
+  sbom:
+    desc: Generate project SBOMs
+    cmds:
+      - task: py:sbom
+
+  vulnscan:
+    desc: Vuln scan the SBOM
+    cmds:
+      - task: py:vulnscan
+
 {%- if cookiecutter.dockerhub == 'yes' %}
 
   publish:
