diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml index 735a76cfed..c6be10b3cf 100644 --- a/.github/workflows/run-ci-cd.yaml +++ b/.github/workflows/run-ci-cd.yaml @@ -131,8 +131,7 @@ jobs: - build-staging-images - set-release-version permissions: - actions: write - contents: write + contents: read uses: ./.github/workflows/scan-images.yaml with: aws_role_name: nest-staging-terraform @@ -142,6 +141,23 @@ jobs: frontend_ecr_repo: nest-staging-frontend release_version: ${{ needs.set-release-version.outputs.release_version }} + upload-staging-sboms: + name: Upload Staging SBOMs + needs: + - scan-staging-images + - set-release-version + permissions: + actions: write + contents: write + uses: ./.github/workflows/upload-sboms.yaml + with: + aws_role_name: nest-staging-terraform + aws_role_session_name: GitHubActions-UploadStagingSBOMs + backend_ecr_repo: nest-staging-backend + environment: staging + frontend_ecr_repo: nest-staging-frontend + release_version: ${{ needs.set-release-version.outputs.release_version }} + bootstrap-nest-staging-infrastructure: name: Bootstrap Nest Staging Infrastructure if: | @@ -236,9 +252,7 @@ jobs: - build-production-images - set-release-version permissions: - # Broader than typical scan jobs: required for "Upload SBOMs" (gh release upload). - actions: write - contents: write + contents: read uses: ./.github/workflows/scan-images.yaml with: aws_role_name: nest-production-terraform @@ -246,6 +260,27 @@ jobs: backend_ecr_repo: nest-production-backend environment: production frontend_ecr_repo: nest-production-frontend + release_version: ${{ needs.set-release-version.outputs.release_version }} + + upload-production-sboms: + name: Upload Production SBOMs + if: | + github.repository == 'OWASP/Nest' && + github.event_name == 'release' && + github.event.action == 'published' + needs: + - scan-production-images + - set-release-version + permissions: + actions: write + contents: write + uses: ./.github/workflows/upload-sboms.yaml + with: + aws_role_name: nest-production-terraform + aws_role_session_name: GitHubActions-UploadProductionSBOMs + backend_ecr_repo: nest-production-backend + environment: production + frontend_ecr_repo: nest-production-frontend release_tag: ${{ github.event.release.tag_name }} release_version: ${{ needs.set-release-version.outputs.release_version }} diff --git a/.github/workflows/scan-images.yaml b/.github/workflows/scan-images.yaml index f81418d915..795462264f 100644 --- a/.github/workflows/scan-images.yaml +++ b/.github/workflows/scan-images.yaml @@ -23,11 +23,6 @@ on: description: Frontend ECR repository name required: true type: string - release_tag: - description: Release tag for uploading SBOMs - required: false - type: string - default: '' release_version: description: The release version to set required: true @@ -47,10 +42,8 @@ jobs: }} FRONTEND_IMAGE: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ inputs.frontend_ecr_repo }}:${{ inputs.release_version }} - RELEASE_VERSION: ${{ inputs.release_version }} permissions: - actions: write - contents: write + contents: read runs-on: ubuntu-latest steps: - name: Check out repository @@ -84,32 +77,4 @@ jobs: command: | make security-scan-backend-image BACKEND_IMAGE_NAME="$BACKEND_IMAGE" make security-scan-frontend-image FRONTEND_IMAGE_NAME="$FRONTEND_IMAGE" - - - name: Generate SBOM for backend image - run: | - make sbom-backend-image BACKEND_IMAGE_NAME="$BACKEND_IMAGE" - - - name: Generate SBOM for frontend image - run: | - make sbom-frontend-image FRONTEND_IMAGE_NAME="$FRONTEND_IMAGE" - - - name: Upload SBOMs to release - if: ${{ inputs.environment == 'production' }} - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - RELEASE_VERSION: ${{ inputs.release_version }} - RELEASE_TAG: ${{ inputs.release_tag }} - run: | - gh release upload "$RELEASE_TAG" \ - "backend-sbom-$RELEASE_VERSION.cdx.json" \ - "frontend-sbom-$RELEASE_VERSION.cdx.json" - - - name: Upload SBOMs as artifact - if: ${{ inputs.environment == 'staging' }} - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - with: - name: staging-sbom-${{ env.RELEASE_VERSION }} - path: | - backend-sbom-${{ env.RELEASE_VERSION }}.cdx.json - frontend-sbom-${{ env.RELEASE_VERSION }}.cdx.json timeout-minutes: 10 diff --git a/.github/workflows/upload-sboms.yaml b/.github/workflows/upload-sboms.yaml new file mode 100644 index 0000000000..27b36bbe84 --- /dev/null +++ b/.github/workflows/upload-sboms.yaml @@ -0,0 +1,108 @@ +name: Upload SBOMs + +on: + workflow_call: + inputs: + aws_role_name: + description: AWS role name to assume + required: true + type: string + aws_role_session_name: + description: AWS role session name + required: true + type: string + backend_ecr_repo: + description: Backend ECR repository name + required: true + type: string + environment: + description: The workflow environment (e.g., staging, production) + required: true + type: string + frontend_ecr_repo: + description: Frontend ECR repository name + required: true + type: string + release_tag: + description: Release tag for uploading SBOMs + required: false + type: string + default: '' + release_version: + description: The release version to use + required: true + type: string + +env: + FORCE_COLOR: 1 + +permissions: {} + +jobs: + upload-sboms: + name: Upload SBOMs + environment: ${{ inputs.environment }} + env: + BACKEND_IMAGE: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ inputs.backend_ecr_repo }}:${{ inputs.release_version + }} + FRONTEND_IMAGE: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ inputs.frontend_ecr_repo }}:${{ inputs.release_version + }} + RELEASE_VERSION: ${{ inputs.release_version }} + permissions: + actions: write + contents: write + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-region: ${{ vars.AWS_REGION }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-duration-seconds: 3600 + role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }} + role-session-name: ${{ inputs.aws_role_session_name }} + role-skip-session-tagging: true + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.aws_role_name }} + + - name: Login to Amazon ECR + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 + + - name: Pull container images + run: | + docker pull "$BACKEND_IMAGE" + docker pull "$FRONTEND_IMAGE" + + - name: Generate SBOM for backend image + run: | + make sbom-backend-image BACKEND_IMAGE_NAME="$BACKEND_IMAGE" + + - name: Generate SBOM for frontend image + run: | + make sbom-frontend-image FRONTEND_IMAGE_NAME="$FRONTEND_IMAGE" + + - name: Upload SBOMs to release + if: ${{ inputs.environment == 'production' }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_VERSION: ${{ inputs.release_version }} + RELEASE_TAG: ${{ inputs.release_tag }} + run: | + gh release upload "$RELEASE_TAG" \ + "backend-sbom-$RELEASE_VERSION.cdx.json" \ + "frontend-sbom-$RELEASE_VERSION.cdx.json" + + - name: Upload SBOMs as artifact + if: ${{ inputs.environment == 'staging' }} + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: staging-sbom-${{ env.RELEASE_VERSION }} + path: | + backend-sbom-${{ env.RELEASE_VERSION }}.cdx.json + frontend-sbom-${{ env.RELEASE_VERSION }}.cdx.json + timeout-minutes: 10 diff --git a/cspell/custom-dict.txt b/cspell/custom-dict.txt index bfcbc6894c..5253b679d0 100644 --- a/cspell/custom-dict.txt +++ b/cspell/custom-dict.txt @@ -207,6 +207,7 @@ saft sakanashi samm sbom +sboms schemathesis semgrep seo