42 行
991 B
YAML
42 行
991 B
YAML
# LAB ONLY
|
|
# 用途: 生成 SBOM 并用 OSV 扫描依赖漏洞
|
|
# 目标范围: 自有代码仓和实验项目
|
|
# 风险: 需要下载额外工具,运行时间较长
|
|
# 不适用: 未经缓存和版本固定直接作为生产门禁
|
|
name: osv-sbom
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
osv-sbom:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Go
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version: "1.22"
|
|
|
|
- name: Install Syft and OSV-Scanner
|
|
run: |
|
|
go install github.com/anchore/syft/cmd/syft@latest
|
|
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
|
|
echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
|
|
|
|
- name: Generate SBOM
|
|
run: |
|
|
syft dir:. -o cyclonedx-json > sbom.json
|
|
|
|
- name: Scan SBOM with OSV
|
|
run: |
|
|
osv-scanner scan --sbom=sbom.json
|