Skip to content

ci: add SBOM generation and secscan run to publish workflow#80

Closed
tonyandrewmeyer wants to merge 7 commits intocanonical:mainfrom
tonyandrewmeyer:secscan-on-release
Closed

ci: add SBOM generation and secscan run to publish workflow#80
tonyandrewmeyer wants to merge 7 commits intocanonical:mainfrom
tonyandrewmeyer:secscan-on-release

Conversation

@tonyandrewmeyer
Copy link
Copy Markdown
Contributor

@tonyandrewmeyer tonyandrewmeyer commented Jul 24, 2025
edited
Loading

At the conclusion of the publishing workflow, use the secscan tool to generate an SBOM and run a security scan, and store those results with the workflow.

Although there's only a single artefact to run against, the workflow uses the sbomber tool to simplify the process and keep it consistent with other Charm Tech projects.

The secscan tool can only be run in the Canonical network, so the workflow is set to use a hosted runner. This prevents testing the workflow in my fork, but it is very similar to the one in canonical/operator that works.

TODO:

  • Once we hear back from the security team, either add in the required secret to get sbomber package, or (hopefully) remove that requirement.
  • Investigate automatically pulling the version information.

@tonyandrewmeyer
Copy link
Copy Markdown
Contributor Author

tonyandrewmeyer commented Sep 26, 2025

I think I'd rather do this a slightly different way. Closing for now, and it's scheduled to happen in later SSDLC work anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tonyandrewmeyer