diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml new file mode 100644 index 000000000000..5a5135a51b78 --- /dev/null +++ b/.github/workflows/vulnerability-scans.yml @@ -0,0 +1,59 @@ +# Copyright 2026 Specter Ops, Inc. +# +# Licensed under the Apache License, Version 2.0 +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +name: Vulnerability Scan + +on: + pull_request: + branches: + - main + - "stage/**" + types: + - opened + - synchronize + - reopened + +permissions: + contents: read +jobs: + scan-sbom-file: + runs-on: ubuntu-latest + steps: + - name: Checkout source code for this repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5 + with: + persist-credentials: false + + - name: Create SBOM File + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # ratchet:anchore/sbom-action@v0.24.0 + with: + format: spdx-json + output-file: "${{ github.event.repository.name }}-sbom.spdx.json" + config: .syft.yaml + + - name: Scan SBOM File + uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # ratchet:anchore/scan-action@v7.4.0 + with: + sbom: "${{ github.event.repository.name }}-sbom.spdx.json" + by-cve: true + severity-cutoff: high + only-fixed: true + output-format: table + output-file: /tmp/output + + - name: Output vulnerability results + if: failure() + run: cat /tmp/output diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 000000000000..c053fb03164f --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,17 @@ +# Copyright 2026 Specter Ops, Inc. +# +# Licensed under the Apache License, Version 2.0 +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +ignore: + # - vulnerability: diff --git a/.syft.yaml b/.syft.yaml new file mode 100644 index 000000000000..7906b1086b4a --- /dev/null +++ b/.syft.yaml @@ -0,0 +1,17 @@ +# Copyright 2026 Specter Ops, Inc. +# +# Licensed under the Apache License, Version 2.0 +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +exclude: + - "./node_modules/**"