diff --git a/.forgejo/workflows/docker-build.yml b/.forgejo/workflows/docker-build.yml index 12af44d..43ea694 100644 --- a/.forgejo/workflows/docker-build.yml +++ b/.forgejo/workflows/docker-build.yml @@ -45,8 +45,19 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4 + - name: Build proxy image for scanning run: docker build -t scan/proxy:latest ./proxy + + - name: Generate proxy SBOM + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: scan/proxy:latest + format: cyclonedx + output: sbom-proxy.cdx.json + exit-code: '0' + vuln-type: os,library + - name: Scan proxy image uses: aquasecurity/trivy-action@v0.35.0 with: @@ -56,8 +67,19 @@ jobs: severity: HIGH,CRITICAL ignore-unfixed: true vuln-type: os,library + - name: Build claude image for scanning run: docker build -t scan/claude:latest ./claude + + - name: Generate claude SBOM + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: scan/claude:latest + format: cyclonedx + output: sbom-claude.cdx.json + exit-code: '0' + vuln-type: os,library + - name: Scan claude image uses: aquasecurity/trivy-action@v0.35.0 with: @@ -68,6 +90,16 @@ jobs: ignore-unfixed: true vuln-type: os,library + - name: Upload SBOMs + if: always() + uses: actions/upload-artifact@v4 + with: + name: sboms-${{ env.GITHUB_RUN_NUMBER }} + path: | + sbom-proxy.cdx.json + sbom-claude.cdx.json + retention-days: 90 + build-and-push: needs: scan runs-on: docker-cli @@ -96,6 +128,8 @@ jobs: with: context: proxy push: true + sbom: true + provenance: true platforms: linux/amd64, linux/arm64 tags: | ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:0.1.${{ env.GITHUB_RUN_NUMBER }} @@ -105,6 +139,8 @@ jobs: with: context: claude push: true + sbom: true + provenance: true platforms: linux/amd64, linux/arm64 tags: | ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:0.1.${{ env.GITHUB_RUN_NUMBER }}