Adds a step to the release which generates a Software Bill of Materials (SBOM) as an asset in the release. The SBOM can be used by external tools to validate the container contents.
It also adds a second workflow, which periodically does a vulnerability scan of the container. The output of the scan is presented in the log. It's currently configured to 'fail' on medium-or-above vulnerabilities.
Description
Adds a step to the release which generates a Software Bill of Materials (SBOM) as an asset in the release. The SBOM can be used by external tools to validate the container contents.
Documentation at: https://github.com/marketplace/actions/anchore-sbom-action
It also adds a second workflow, which periodically does a vulnerability scan of the container. The output of the scan is presented in the log. It's currently configured to 'fail' on medium-or-above vulnerabilities.
Documentation at: https://github.com/marketplace/actions/anchore-container-scan
Checklist: