review-sbom-practices-add-to-cicd-sop

david-thrower / cerebros-core-algorithm-alpha

The Cerebros package is an ultra-precise Neural Architecture Search (NAS) / AutoML that is intended to much more closely mimic biological neurons than conventional neural network architecture strategies.

Other

27 stars 4 forks source link

review-sbom-practices-add-to-cicd-sop #92

Open david-thrower opened 1 year ago

david-thrower commented 1 year ago

Kind of issue: Process Change

Review the SBOM and make sure what we are producing meets requirements. Amend CICD SOP as needed.

Suggested Labels (If you don't know, that's ok): triage/hire-consultant kind/secutity-vulnerability

riteshnoronha commented 1 year ago

we have created an open-source tool to help you do just this. As simple as sbomqs share <sbom-file> output example https://sbombenchmark.dev/user/score?id=eb4903f6-88df-46bd-adb1-e5ea85cdc88f

https://github.com/interlynk-io/sbomqs

david-thrower commented 1 year ago

@riteshnoronha , Thanks for the awesome and practical recommendation. I will prioritize this.

riteshnoronha commented 1 year ago

Awesome. Would love any feedback.

david-thrower commented 1 year ago

One possibility is:

In .github/workflows/automerge.yaml, append:


# Add a pipeline step

    - name: Run Trivy vulnerability scanner in fs mode
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        scan-ref: '.'
        trivy-config: trivy.yaml

 # Configure trivy.yaml