canonical · tonyandrewmeyer · Jul 24, 2025 · Jul 25, 2025 · Jul 25, 2025 · Jul 25, 2025
diff --git a/.github/.sbomber-manifest.yaml b/.github/.sbomber-manifest.yaml
@@ -0,0 +1,17 @@
+clients:
+  sbom:
+      service_url: https://sbom-request.canonical.com
+      department: charm_engineering
+      email: tony.meyer@canonical.com
+      team: charm_tech
+  secscan: {}
+
+
+artifacts:
+  - name: 'concierge'
+    type: 'snap'
+    ssdlc_params:
+        name: 'concierge'
+        version: ''
+        channel: 'stable'
+        cycle: '25.10'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -137,3 +137,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.STORE_TOKEN }}
+
+  secscan:
+    uses: ./.github/workflows/secscan.yaml
diff --git a/.github/workflows/secscan.yaml b/.github/workflows/secscan.yaml
@@ -0,0 +1,58 @@
+name: SBOM and secscan
+
+on:
+    workflow_call:
+    workflow_dispatch:
+
+permissions: {}
+
+jobs:
+    scan:
+        strategy:
+          fail-fast: false
+
+        name: SBOM generation
+        runs-on: [self-hosted, self-hosted-linux-amd64-jammy-private-endpoint-medium]
+        steps:
+          - name: Checkout repository
+            uses: actions/checkout@v4
+            with:
+              persist-credentials: false
+          - name: Install dependencies
+            run: |
+              sudo apt-get update
+              sudo apt-get install -y libapt-pkg-dev
+              sudo apt install -y python3-apt
+          - name: Checkout security scanner
+            uses: actions/checkout@v4
+            with:
+              repository: canonical/sbomber
+              path: scanner
+              token: ${{ secrets.SBOMBER_TOKEN }}
+              persist-credentials: false
+          - name: Install uv
+            uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb  # v6.1.0
+          - name: Install secscan cli
+            run: |
+              sudo snap install canonical-secscan-client
+              sudo snap connect canonical-secscan-client:home system:home
+          - name: Prepare the artifacts
+            run: |
+              cd scanner
+              ./sbomber prepare ../.github/.sbomber-manifest.yaml
+          - name: Submit the artifacts
+            run: |
+              cd scanner
+              ./sbomber submit
+          - name: Wait for the scans to finish
+            run: |
+              cd scanner
+              ./sbomber poll --wait --timeout 30
+          - name: Download the reports
+            run: |
+              cd scanner && ./sbomber download
+          - name: Upload reports
+            uses: actions/upload-artifact@v4
+            with:
+              name: secscan-report-upload
+              path: ./scanner/reports/
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,7 @@
 dist/
 .spread-reuse*.yaml
 /.idea
+# sbomber tool
+.statefile.yaml
+pkgs/
+reports/