Open david-thrower opened 1 year ago
we have created an open-source tool to help you do just this. As simple as sbomqs share <sbom-file>
output example https://sbombenchmark.dev/user/score?id=eb4903f6-88df-46bd-adb1-e5ea85cdc88f
@riteshnoronha , Thanks for the awesome and practical recommendation. I will prioritize this.
Awesome. Would love any feedback.
One possibility is:
In .github/workflows/automerge.yaml, append:
# Add a pipeline step
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml
# Configure trivy.yaml
Kind of issue: Process Change
Review the SBOM and make sure what we are producing meets requirements. Amend CICD SOP as needed.
Suggested Labels (If you don't know, that's ok): triage/hire-consultant kind/secutity-vulnerability