Merge pull request #12 from Ostorlab/feat/Update_the_actions_with_sbo…

…m_files Update the actions with sbom files.
Ostorlab · Aug 22, 2023 · 61583e6 · 61583e6
2 parents a6c1123 + 5870f12
commit 61583e6
Show file tree

Hide file tree

Showing 4 changed files with 6,421 additions and 2 deletions.
diff --git a/.github/workflows/action_cron.yaml b/.github/workflows/action_cron.yaml
@@ -11,6 +11,9 @@ jobs:
       - uses: actions/checkout@v2
       - name: build ostorlab.apk
         run: mv tests/InsecureBankv2.apk ostorlab.apk
+      - name: Get sbom file
+        run: |
+          mv tests/package-lock.json package-lock.json
       - name: Launch Ostorlab scan
         id: start_scan
         uses: ./

diff --git a/.github/workflows/action_with_extra.yaml b/.github/workflows/action_with_extra.yaml
@@ -7,6 +7,9 @@ jobs:
       - uses: actions/checkout@v2
       - name: build ostorlab.apk
         run: mv tests/InsecureBankv2.apk ostorlab.apk
+      - name: Get sbom file
+        run: |
+          mv tests/package-lock.json package-lock.json
       - name: Launch Ostorlab scan
         id: start_scan
         uses: ./
@@ -18,6 +21,6 @@ jobs:
           ostorlab_api_key: ${{ secrets.ostorlab_api_key }} # your secret api key.
           break_on_risk_rating: HIGH # Wait for the scan results and force the action to fail if the scan risk is higher
           max_wait_minutes: 30
-          extra: --test-credentials-login test_login --test-credentials-password test_pass --test-credentials-role ci_role --test-credentials-name foo1 --test-credentials-value bar1 --test-credentials-name foo2 --test-credentials-value bar2
+          extra: --test-credentials-login test_login --test-credentials-password test_pass --test-credentials-role ci_role --test-credentials-name foo1 --test-credentials-value bar1 --test-credentials-name foo2 --test-credentials-value bar2 --sbom package-lock.json
       - name: Get scan id
         run: echo "Scan Created with id ${{ steps.start_scan.outputs.scan_id }} you can access the full report at https://report.ostorlab.co/scan/${{ steps.start_scan.outputs.scan_id }}/"
diff --git a/README.md b/README.md
@@ -56,7 +56,36 @@ jobs:
       - name: Get scan id
         run: echo "Scan Created with id ${{ steps.start_scan.outputs.scan_id }} you can access the full report at https://report.ostorlab.co/scan/${{ steps.start_scan.outputs.scan_id }}/"
 
-```   
+```
+
+### Sbom/Lock Files
+
+You can supply your SBOM/Lock files to enhance the scan analysis, to do so use the `extra` 
+input to pass `--sbom***`, for example to add package-lock.json file use the following example:
+
+```yaml
+extra:  --sbom package-lock.json
+```
+Here you can see the list of the supported files:
+
+- buildscript-gradle.lockfile
+- Cargo.lock,
+- composer.lock,
+- conan.lock,
+- Gemfile.lock,
+- go.mod,
+- gradle.lockfile,
+- mix.lock,
+- Pipfile.lock,
+- package-lock.json,
+- packages.lock.json,
+- pnpm-lock.yaml,
+- poetry.lock,
+- pom.xml,
+- pubspec.lock,
+- requirements.txt,
+- yarn.lock,
+
 
 ### Test Credentials