9. Integrating SBOM Generation & Security Scanning into Your Container - SMART2016/containerization GitHub Wiki
Integrating SBOM Generation & Security Scanning into Your Container Workflow
To fully automate SBOM generation and security scanning in your CI/CD pipeline, we'll integrate Apko, Syft, and Trivy into GitHub Actions. This ensures:
✅ Every build has an SBOM
✅ Security vulnerabilities are detected early
✅ Compliance with security best practices
1️⃣ Setup: Install Required Tools
Before integrating into CI/CD, install the necessary tools locally for testing:
# Install Syft (SBOM Generator)
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Install Trivy (SBOM + Vulnerability Scanner)
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/install.sh | sh
# Verify installation
syft version
trivy version
Now, let’s integrate these tools into GitHub Actions.
2️⃣ GitHub Actions Workflow for SBOM + Security Scanning
Add this YAML file to .github/workflows/sbom-security.yml:
name: SBOM and Security Scan
on:
push:
branches:
- main
pull_request:
jobs:
sbom_scan:
name: Generate SBOM & Scan for Vulnerabilities
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Set Up Docker BuildX
uses: docker/setup-buildx-action@v2
- name: Build Container Image
run: |
docker build -t my-container:latest .
- name: Install Syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Generate SBOM with Syft
run: |
syft my-container:latest -o spdx-json > sbom.json
- name: Upload SBOM as Artifact
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.json
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/install.sh | sh
- name: Scan Image for Vulnerabilities with Trivy
run: |
trivy image --format table my-container:latest
- name: Fail if Critical Vulnerabilities Found
run: |
if trivy image --exit-code 1 --severity CRITICAL my-container:latest; then
echo "Critical vulnerabilities found!"
exit 1
fi
3️⃣ How This Works
🔹 Builds the container image
🔹 Generates an SBOM (SPDX format) with Syft
🔹 Uploads the SBOM as a GitHub Action artifact
🔹 Scans the image for vulnerabilities with Trivy
🔹 Fails the CI/CD pipeline if critical vulnerabilities are found
4️⃣ Running This Workflow in GitHub Actions
1️⃣ Commit & Push the Workflow
git add .github/workflows/sbom-security.yml
git commit -m "Add SBOM and Security Scanning workflow"
git push origin main
2️⃣ Trigger the Workflow
- Push a change or open a pull request to trigger the workflow.
- Check GitHub Actions (
Actionstab) for results.
5️⃣ Integrating with Other CI/CD Platforms
For GitLab CI/CD (.gitlab-ci.yml):
stages:
- build
- security
build:
stage: build
script:
- docker build -t my-container:latest .
sbom:
stage: security
script:
- curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- syft my-container:latest -o spdx-json > sbom.json
artifacts:
paths:
- sbom.json
trivy_scan:
stage: security
script:
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/install.sh | sh
- trivy image --exit-code 1 --severity CRITICAL my-container:latest
6️⃣ Automating SBOM Signing for Enhanced Security
To sign the SBOM (ensuring it hasn't been tampered with), use Cosign:
cosign sign --key cosign.key sbom.json
cosign verify --key cosign.pub sbom.json
🔒 This ensures the SBOM isn't altered after generation.
7️⃣ Next Steps
✅ Deploy this workflow to GitHub Actions
✅ Use SBOM to monitor dependencies and vulnerabilities
✅ Set up automated alerts for CVE patches