From a6c2b8ad21c11965a8742fafef11dd57e99e2037 Mon Sep 17 00:00:00 2001 From: ykaiboussiSO Date: Wed, 1 Jul 2026 12:13:13 -0500 Subject: [PATCH 1/7] chore: Add SBOM vulnerability scans BED-8648 Resolves: BED-8648 --- .github/workflows/vulnerability-scans.yml | 49 +++++++++++++++++++++++ .syft.yaml | 17 ++++++++ 2 files changed, 66 insertions(+) create mode 100644 .github/workflows/vulnerability-scans.yml create mode 100644 .syft.yaml diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml new file mode 100644 index 00000000000..44703aa877f --- /dev/null +++ b/.github/workflows/vulnerability-scans.yml @@ -0,0 +1,49 @@ +# Copyright 2026 Specter Ops, Inc. +# +# Licensed under the Apache License, Version 2.0 +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +name: Vulnerability Scan + +on: + pull_request: + branches: + - main + - "stage/**" + types: + - opened + - synchronize + - reopened + +jobs: + scan-sbom-file: + runs-on: ubuntu-latest + steps: + - name: Checkout source code for this repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5 + + - name: Create SBOM File + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 #v1.42.3 + with: + format: spdx-json + output-file: "${{ github.event.repository.name }}-sbom.spdx.json" + config: .syft.yaml + + - name: Scan SBOM File + uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0 + with: + sbom: "${{ github.event.repository.name }}-sbom.spdx.json" + by-cve: true + severity-cutoff: critical + only-fixed: true diff --git a/.syft.yaml b/.syft.yaml new file mode 100644 index 00000000000..7906b1086b4 --- /dev/null +++ b/.syft.yaml @@ -0,0 +1,17 @@ +# Copyright 2026 Specter Ops, Inc. +# +# Licensed under the Apache License, Version 2.0 +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +exclude: + - "./node_modules/**" From 4d6abadafd0b3280298f0957ee65b841a95fed2d Mon Sep 17 00:00:00 2001 From: ykaiboussiSO Date: Mon, 6 Jul 2026 09:47:36 -0500 Subject: [PATCH 2/7] address CR Suggestion Security Enhancements --- .github/workflows/vulnerability-scans.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 44703aa877f..9fd4f230883 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -26,12 +26,16 @@ on: - synchronize - reopened +permissions: + contents: read jobs: scan-sbom-file: runs-on: ubuntu-latest steps: - name: Checkout source code for this repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5 + with: + persist-credentials: false - name: Create SBOM File uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 #v1.42.3 From ba9f1621b65fceadd7a50bebf3ce5dcdea047bef Mon Sep 17 00:00:00 2001 From: ykaiboussiSO Date: Tue, 7 Jul 2026 12:19:53 -0500 Subject: [PATCH 3/7] Pin GH Actions using Ratchet & update severity cutoff --- .github/workflows/vulnerability-scans.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 9fd4f230883..20f7af4d330 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -38,16 +38,16 @@ jobs: persist-credentials: false - name: Create SBOM File - uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 #v1.42.3 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # ratchet:anchore/sbom-action@v0.24.0 with: format: spdx-json output-file: "${{ github.event.repository.name }}-sbom.spdx.json" config: .syft.yaml - name: Scan SBOM File - uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0 + uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # ratchet:anchore/scan-action@v7.4.0 with: sbom: "${{ github.event.repository.name }}-sbom.spdx.json" by-cve: true - severity-cutoff: critical + severity-cutoff: high only-fixed: true From 634df205175f5cfe9243d09f965b7baaec48ff40 Mon Sep 17 00:00:00 2001 From: ykaiboussiSO Date: Tue, 7 Jul 2026 13:08:08 -0500 Subject: [PATCH 4/7] add a step to output the results --- .github/workflows/vulnerability-scans.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 20f7af4d330..323267fe479 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -51,3 +51,4 @@ jobs: by-cve: true severity-cutoff: high only-fixed: true + output-format: table From 1312e7d54cfabc79b3170f591db566cb77333510 Mon Sep 17 00:00:00 2001 From: ykaiboussiSO Date: Tue, 7 Jul 2026 13:08:55 -0500 Subject: [PATCH 5/7] Update vulnerability-scans.yml --- .github/workflows/vulnerability-scans.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 323267fe479..5a5135a51b7 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -52,3 +52,8 @@ jobs: severity-cutoff: high only-fixed: true output-format: table + output-file: /tmp/output + + - name: Output vulnerability results + if: failure() + run: cat /tmp/output From 8c807761d9c99f6ef534c86706d8c925d71c4452 Mon Sep 17 00:00:00 2001 From: ykaiboussiSO Date: Tue, 7 Jul 2026 13:42:16 -0500 Subject: [PATCH 6/7] add config to suppress vulnerabilities for review --- .grype.yaml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .grype.yaml diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 00000000000..f2df7909143 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,2 @@ +ignore: + # - vulnerability: From 9b4d270e594ae33effa931a8135b0cf6b696565d Mon Sep 17 00:00:00 2001 From: ykaiboussiSO Date: Tue, 7 Jul 2026 13:57:39 -0500 Subject: [PATCH 7/7] fix pfc --- .grype.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.grype.yaml b/.grype.yaml index f2df7909143..c053fb03164 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,2 +1,17 @@ +# Copyright 2026 Specter Ops, Inc. +# +# Licensed under the Apache License, Version 2.0 +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 ignore: # - vulnerability: