From c5fb2462c8623fbf97a9a1d459087f52f25adf7f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 09:03:23 +0000 Subject: [PATCH 01/37] use trivy for sbom scan --- .github/workflows/quality-checks.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 87e9ee0..224290e 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -174,7 +174,14 @@ jobs: run: make test - name: Generate and check SBOMs - uses: NHSDigital/eps-action-sbom@7684ce6314e515df7b7929fac08b4464f8a03d06 + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: "fs" + scan-ref: "." + severity: "CRITICAL,HIGH" + format: "table" + output: "dependency-results.txt" + exit-code: "1" - name: "check is SONAR_TOKEN exists" env: From 59cf4fc9eb31313763f31b067a2e93a2e9c86759 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 09:07:36 +0000 Subject: [PATCH 02/37] show output --- .github/workflows/quality-checks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 224290e..de2898e 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -182,6 +182,9 @@ jobs: format: "table" output: "dependency-results.txt" exit-code: "1" + - name: Show scan output + if: failure() + run: cat dependency-results.txt - name: "check is SONAR_TOKEN exists" env: From f0a68a7866aa2aa25e458349c2b263d147181874 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 09:10:52 +0000 Subject: [PATCH 03/37] always show output --- .github/workflows/quality-checks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index de2898e..2c4dda0 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -179,11 +179,12 @@ jobs: scan-type: "fs" scan-ref: "." severity: "CRITICAL,HIGH" + skip-files: "nhsd-rules-deny.txt" format: "table" output: "dependency-results.txt" exit-code: "1" - name: Show scan output - if: failure() + if: always() run: cat dependency-results.txt - name: "check is SONAR_TOKEN exists" From edf8f4aa9ced0f76e69e78dbe5585c30f985d496 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 09:25:34 +0000 Subject: [PATCH 04/37] only scan poetry --- .github/workflows/quality-checks.yml | 29 ++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 2c4dda0..f37aa9b 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -151,9 +151,18 @@ jobs: echo "uses_java=false" >> "$GITHUB_OUTPUT" fi - - name: Check licenses (Makefile) - run: | - make check-licenses + - name: Check licenses + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: "fs" + scan-ref: "." + scanners: "license" + format: "table" + output: "license_scan.txt" + exit-code: "1" + - name: Show license scan output + if: always() + run: cat license_scan.txt - name: Run code lint run: make lint @@ -173,20 +182,20 @@ jobs: - name: Run unit tests run: make test - - name: Generate and check SBOMs + - name: Generate and check python SBOMs + if: ${{ steps.check_poetry.outputs.uses_poetry == 'true' }} uses: aquasecurity/trivy-action@0.33.1 with: scan-type: "fs" - scan-ref: "." + scan-ref: "poetry.lock" severity: "CRITICAL,HIGH" - skip-files: "nhsd-rules-deny.txt" + scanners: "vuln" format: "table" - output: "dependency-results.txt" + output: "dependency_results_python.txt" exit-code: "1" - name: Show scan output if: always() - run: cat dependency-results.txt - + run: cat dependency_results_python.txt - name: "check is SONAR_TOKEN exists" env: super_secret: ${{ secrets.SONAR_TOKEN }} @@ -205,7 +214,7 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # CloudFormation validation (runs only if templates exist, ~3-5 minutes) - cloudformation-validation: + IaC-validation: runs-on: ubuntu-22.04 steps: - name: Checkout code From 340a1f987e7cd65b2403355da213bb61cce2b79d Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 09:29:26 +0000 Subject: [PATCH 05/37] force scan --- .github/workflows/quality-checks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index f37aa9b..6f2a05e 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -155,7 +155,8 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: scan-type: "fs" - scan-ref: "." + scan-ref: "poetry.lock" + severity: "CRITICAL,HIGH" scanners: "license" format: "table" output: "license_scan.txt" From eedc99af14b038c2b71048ef590a291e30ede7e4 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 09:32:18 +0000 Subject: [PATCH 06/37] show all pkgs --- .github/workflows/quality-checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 6f2a05e..34237a0 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -161,6 +161,7 @@ jobs: format: "table" output: "license_scan.txt" exit-code: "1" + list-all-pkgs: "true" - name: Show license scan output if: always() run: cat license_scan.txt From b573ace1d214bc4a7659e804837b32414621fc00 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 09:36:19 +0000 Subject: [PATCH 07/37] try it --- .github/workflows/quality-checks.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 34237a0..a12823a 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -155,16 +155,16 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: scan-type: "fs" - scan-ref: "poetry.lock" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" - format: "table" - output: "license_scan.txt" + format: "json" + output: "license_scan.json" exit-code: "1" list-all-pkgs: "true" - name: Show license scan output if: always() - run: cat license_scan.txt + run: cat license_scan.json - name: Run code lint run: make lint From ba9dd7df9a224ef8942c309f75bdd53152136f0c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 09:56:28 +0000 Subject: [PATCH 08/37] all the languages --- .github/workflows/quality-checks.yml | 128 +++++++++++++++++++++++---- 1 file changed, 112 insertions(+), 16 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index a12823a..5ac5684 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -121,8 +121,8 @@ jobs: run: | make install - - name: Check if project uses Poetry - id: check_poetry + - name: Check language tools used + id: check_languages run: | if [ -f "pyproject.toml" ] && grep -q '\[tool.poetry\]' "pyproject.toml"; then echo "****************" @@ -135,10 +135,6 @@ jobs: echo "****************" echo "uses_poetry=false" >> "$GITHUB_OUTPUT" fi - - - name: Check if project uses Java - id: check_java - run: | if [ -f pom.xml ]; then echo "****************" echo "Detected a Java project" @@ -150,21 +146,84 @@ jobs: echo "****************" echo "uses_java=false" >> "$GITHUB_OUTPUT" fi + if [ -f package-lock.json ]; then + echo "****************" + echo "Detected a Node.js project" + echo "****************" + echo "uses_node=true" >> "$GITHUB_OUTPUT" + else + echo "****************" + echo "Project does not use Node.js" + echo "****************" + echo "uses_node=false" >> "$GITHUB_OUTPUT" + fi + if [ -f go.sum ]; then + echo "****************" + echo "Detected a Go project" + echo "****************" + echo "uses_go=true" >> "$GITHUB_OUTPUT" + else + echo "****************" + echo "Project does not use Go" + echo "****************" + echo "uses_go=false" >> "$GITHUB_OUTPUT" + fi - - name: Check licenses - uses: aquasecurity/trivy-action@0.33.1 + - name: Check python licenses + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} + with: + scan-type: "fs" + scan-ref: "poetry.lock" + severity: "CRITICAL,HIGH" + scanners: "license" + format: "json" + output: "license_scan_python.json" + exit-code: "1" + list-all-pkgs: "true" + - name: Check node licenses + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + if: ${{ steps.check_languages.outputs.uses_node == 'true' }} + with: + scan-type: "fs" + scan-ref: "package-lock.json" + severity: "CRITICAL,HIGH" + scanners: "license" + format: "json" + output: "license_scan_node.json" + exit-code: "1" + list-all-pkgs: "true" + - name: Check go licenses + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + with: + scan-type: "fs" + scan-ref: "go.sum" + severity: "CRITICAL,HIGH" + scanners: "license" + format: "json" + output: "license_scan_go.json" + exit-code: "1" + list-all-pkgs: "true" + - name: Check java licenses + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + if: ${{ steps.check_languages.outputs.uses_java == 'true' }} with: scan-type: "fs" - scan-ref: "." + scan-ref: "pom.xml" severity: "CRITICAL,HIGH" scanners: "license" format: "json" - output: "license_scan.json" + output: "license_scan_java.json" exit-code: "1" list-all-pkgs: "true" - name: Show license scan output if: always() - run: cat license_scan.json + run: | + cat license_scan_python.json + cat license_scan_node.json + cat license_scan_go.json + cat license_scan_java.json - name: Run code lint run: make lint @@ -185,8 +244,8 @@ jobs: run: make test - name: Generate and check python SBOMs - if: ${{ steps.check_poetry.outputs.uses_poetry == 'true' }} - uses: aquasecurity/trivy-action@0.33.1 + if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" scan-ref: "poetry.lock" @@ -195,9 +254,46 @@ jobs: format: "table" output: "dependency_results_python.txt" exit-code: "1" + - name: Generate and check node SBOMs + if: ${{ steps.check_languages.outputs.uses_node == 'true' }} + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "fs" + scan-ref: "package-lock.json" + severity: "CRITICAL,HIGH" + scanners: "vuln" + format: "table" + output: "dependency_results_node.txt" + exit-code: "1" + - name: Generate and check java SBOMs + if: ${{ steps.check_languages.outputs.uses_java == 'true' }} + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "fs" + scan-ref: "pom.xml" + severity: "CRITICAL,HIGH" + scanners: "vuln" + format: "table" + output: "dependency_results_java.txt" + exit-code: "1" + - name: Generate and check golang SBOMs + if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "fs" + scan-ref: "go.sum" + severity: "CRITICAL,HIGH" + scanners: "vuln" + format: "table" + output: "dependency_results_go.txt" + exit-code: "1" - name: Show scan output if: always() - run: cat dependency_results_python.txt + run: | + cat dependency_results_python.txt + cat dependency_results_node.txt + cat dependency_results_java.txt + cat dependency_results_go.txt - name: "check is SONAR_TOKEN exists" env: super_secret: ${{ secrets.SONAR_TOKEN }} @@ -205,12 +301,12 @@ jobs: run: echo "SONAR_TOKEN_EXISTS=true" >> "$GITHUB_ENV" - name: Run SonarQube analysis - if: ${{ steps.check_java.outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }} + if: ${{ steps.check_languages.outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }} run: mvn sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }} - name: SonarCloud Scan uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 - if: ${{ steps.check_java.outputs.uses_java == 'false' && env.SONAR_TOKEN_EXISTS == 'true' }} + if: ${{ steps.check_languages.outputs.uses_java == 'false' && env.SONAR_TOKEN_EXISTS == 'true' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From ea123fe3a9ce3d7a17cc0cacf3262aac02c624ce Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 10:05:25 +0000 Subject: [PATCH 09/37] only show files if they exist --- .github/workflows/quality-checks.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 5ac5684..fbf3a21 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -126,7 +126,7 @@ jobs: run: | if [ -f "pyproject.toml" ] && grep -q '\[tool.poetry\]' "pyproject.toml"; then echo "****************" - echo "Project uses poetry" + echo "Detected a poetry project" echo "****************" echo "uses_poetry=true" >> "$GITHUB_OUTPUT" else @@ -220,10 +220,10 @@ jobs: - name: Show license scan output if: always() run: | - cat license_scan_python.json - cat license_scan_node.json - cat license_scan_go.json - cat license_scan_java.json + [ -f license_scan_python.json ] && cat license_scan_python.json + [ -f license_scan_node.json ] && cat license_scan_node.json + [ -f license_scan_go.json ] && cat license_scan_go.json + [ -f license_scan_java.json ] && cat license_scan_java.json - name: Run code lint run: make lint @@ -290,10 +290,10 @@ jobs: - name: Show scan output if: always() run: | - cat dependency_results_python.txt - cat dependency_results_node.txt - cat dependency_results_java.txt - cat dependency_results_go.txt + [ -f dependency_results_python.txt ] && cat dependency_results_python.txt + [ -f dependency_results_node.txt ] && cat dependency_results_node.txt + [ -f dependency_results_java.txt ] && cat dependency_results_java.txt + [ -f dependency_results_go.txt ] && cat dependency_results_go.txt - name: "check is SONAR_TOKEN exists" env: super_secret: ${{ secrets.SONAR_TOKEN }} From 2484ef072300d94f4bddd74342b5954c09005f52 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 10:10:34 +0000 Subject: [PATCH 10/37] make it work --- .github/workflows/quality-checks.yml | 32 +++++++++++++++++++++------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index fbf3a21..944812b 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -220,10 +220,18 @@ jobs: - name: Show license scan output if: always() run: | - [ -f license_scan_python.json ] && cat license_scan_python.json - [ -f license_scan_node.json ] && cat license_scan_node.json - [ -f license_scan_go.json ] && cat license_scan_go.json - [ -f license_scan_java.json ] && cat license_scan_java.json + if [ -f license_scan_python.json ]; then + cat license_scan_python.json + fi + if [ -f license_scan_node.json ]; then + cat license_scan_node.json + fi + if [ -f license_scan_go.json ]; then + cat license_scan_go.json + fi + if [ -f license_scan_java.json ]; then + cat license_scan_java.json + fi - name: Run code lint run: make lint @@ -290,10 +298,18 @@ jobs: - name: Show scan output if: always() run: | - [ -f dependency_results_python.txt ] && cat dependency_results_python.txt - [ -f dependency_results_node.txt ] && cat dependency_results_node.txt - [ -f dependency_results_java.txt ] && cat dependency_results_java.txt - [ -f dependency_results_go.txt ] && cat dependency_results_go.txt + if [ -f dependency_results_python.txt ]; then + cat dependency_results_python.txt + fi + if [ -f dependency_results_node.txt ]; then + cat dependency_results_node.txt + fi + if [ -f dependency_results_java.txt ]; then + cat dependency_results_java.txt + fi + if [ -f dependency_results_go.txt ]; then + cat dependency_results_go.txt + fi - name: "check is SONAR_TOKEN exists" env: super_secret: ${{ secrets.SONAR_TOKEN }} From 9dc42c7bde2de15a9eee0d408c14cdb9f24af103 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 10:33:01 +0000 Subject: [PATCH 11/37] add trivy config --- .github/workflows/quality-checks.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 944812b..61804b1 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -168,7 +168,10 @@ jobs: echo "****************" echo "uses_go=false" >> "$GITHUB_OUTPUT" fi - + cat < trivy.yaml + pkg: + include-dev-deps: true + EOF - name: Check python licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} @@ -181,6 +184,7 @@ jobs: output: "license_scan_python.json" exit-code: "1" list-all-pkgs: "true" + trivy-config: trivy.yaml - name: Check node licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_node == 'true' }} @@ -193,6 +197,7 @@ jobs: output: "license_scan_node.json" exit-code: "1" list-all-pkgs: "true" + trivy-config: trivy.yaml - name: Check go licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_go == 'true' }} @@ -205,6 +210,7 @@ jobs: output: "license_scan_go.json" exit-code: "1" list-all-pkgs: "true" + trivy-config: trivy.yaml - name: Check java licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_java == 'true' }} @@ -217,6 +223,7 @@ jobs: output: "license_scan_java.json" exit-code: "1" list-all-pkgs: "true" + trivy-config: trivy.yaml - name: Show license scan output if: always() run: | @@ -262,6 +269,7 @@ jobs: format: "table" output: "dependency_results_python.txt" exit-code: "1" + trivy-config: trivy.yaml - name: Generate and check node SBOMs if: ${{ steps.check_languages.outputs.uses_node == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -273,6 +281,7 @@ jobs: format: "table" output: "dependency_results_node.txt" exit-code: "1" + trivy-config: trivy.yaml - name: Generate and check java SBOMs if: ${{ steps.check_languages.outputs.uses_java == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -295,6 +304,7 @@ jobs: format: "table" output: "dependency_results_go.txt" exit-code: "1" + trivy-config: trivy.yaml - name: Show scan output if: always() run: | From 88bd3e5ef3d4360905cfdd2e744414b90a677f70 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 10:47:28 +0000 Subject: [PATCH 12/37] table output --- .github/workflows/quality-checks.yml | 40 ++++++++++++++-------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 61804b1..2014d96 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -180,10 +180,10 @@ jobs: scan-ref: "poetry.lock" severity: "CRITICAL,HIGH" scanners: "license" - format: "json" - output: "license_scan_python.json" + format: "table" + output: "license_scan_python.txt" exit-code: "1" - list-all-pkgs: "true" + list-all-pkgs: "false" trivy-config: trivy.yaml - name: Check node licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -193,10 +193,10 @@ jobs: scan-ref: "package-lock.json" severity: "CRITICAL,HIGH" scanners: "license" - format: "json" - output: "license_scan_node.json" + format: "table" + output: "license_scan_node.txt" exit-code: "1" - list-all-pkgs: "true" + list-all-pkgs: "false" trivy-config: trivy.yaml - name: Check go licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -206,10 +206,10 @@ jobs: scan-ref: "go.sum" severity: "CRITICAL,HIGH" scanners: "license" - format: "json" - output: "license_scan_go.json" + format: "table" + output: "license_scan_go.txt" exit-code: "1" - list-all-pkgs: "true" + list-all-pkgs: "false" trivy-config: trivy.yaml - name: Check java licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -219,25 +219,25 @@ jobs: scan-ref: "pom.xml" severity: "CRITICAL,HIGH" scanners: "license" - format: "json" - output: "license_scan_java.json" + format: "table" + output: "license_scan_java.txt" exit-code: "1" - list-all-pkgs: "true" + list-all-pkgs: "false" trivy-config: trivy.yaml - name: Show license scan output if: always() run: | - if [ -f license_scan_python.json ]; then - cat license_scan_python.json + if [ -f license_scan_python.txt ]; then + cat license_scan_python.txt fi - if [ -f license_scan_node.json ]; then - cat license_scan_node.json + if [ -f license_scan_node.txt ]; then + cat license_scan_node.txt fi - if [ -f license_scan_go.json ]; then - cat license_scan_go.json + if [ -f license_scan_go.txt ]; then + cat license_scan_go.txt fi - if [ -f license_scan_java.json ]; then - cat license_scan_java.json + if [ -f license_scan_java.txt ]; then + cat license_scan_java.txt fi - name: Run code lint From 22d98b8c40e220b1410a6688c46a0dba74bfc636 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 11:39:01 +0000 Subject: [PATCH 13/37] correct go path --- .github/workflows/quality-checks.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 2014d96..683f9c6 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -157,7 +157,7 @@ jobs: echo "****************" echo "uses_node=false" >> "$GITHUB_OUTPUT" fi - if [ -f go.sum ]; then + if [ -f src/go.sum ]; then echo "****************" echo "Detected a Go project" echo "****************" @@ -168,7 +168,7 @@ jobs: echo "****************" echo "uses_go=false" >> "$GITHUB_OUTPUT" fi - cat < trivy.yaml + cat <> trivy.yaml pkg: include-dev-deps: true EOF @@ -203,7 +203,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_go == 'true' }} with: scan-type: "fs" - scan-ref: "go.sum" + scan-ref: "src/go.sum" severity: "CRITICAL,HIGH" scanners: "license" format: "table" @@ -298,7 +298,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - scan-ref: "go.sum" + scan-ref: "src/go.sum" severity: "CRITICAL,HIGH" scanners: "vuln" format: "table" From a2a1d1df55b01d8d54a6e8bce0814e17c7410dc5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 11:47:00 +0000 Subject: [PATCH 14/37] fix golang --- .github/workflows/quality-checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 683f9c6..feedb17 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -203,7 +203,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_go == 'true' }} with: scan-type: "fs" - scan-ref: "src/go.sum" + scan-ref: "src/go.mod" severity: "CRITICAL,HIGH" scanners: "license" format: "table" @@ -298,7 +298,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - scan-ref: "src/go.sum" + scan-ref: "src/go.mod" severity: "CRITICAL,HIGH" scanners: "vuln" format: "table" From b8310acee038c772fe7e30569d80efe85a8379ce Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 14:44:55 +0000 Subject: [PATCH 15/37] use single job --- .github/workflows/quality-checks.yml | 101 ++++++++++++--------------- 1 file changed, 46 insertions(+), 55 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index feedb17..5aac093 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -121,7 +121,7 @@ jobs: run: | make install - - name: Check language tools used + - name: Check language tools used and setup trivy config id: check_languages run: | if [ -f "pyproject.toml" ] && grep -q '\[tool.poetry\]' "pyproject.toml"; then @@ -168,77 +168,68 @@ jobs: echo "****************" echo "uses_go=false" >> "$GITHUB_OUTPUT" fi + # Create trivy config to include dev dependencies cat <> trivy.yaml pkg: include-dev-deps: true EOF - - name: Check python licenses + - name: Check licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} with: scan-type: "fs" - scan-ref: "poetry.lock" - severity: "CRITICAL,HIGH" - scanners: "license" - format: "table" - output: "license_scan_python.txt" - exit-code: "1" - list-all-pkgs: "false" - trivy-config: trivy.yaml - - name: Check node licenses - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - if: ${{ steps.check_languages.outputs.uses_node == 'true' }} - with: - scan-type: "fs" - scan-ref: "package-lock.json" - severity: "CRITICAL,HIGH" - scanners: "license" - format: "table" - output: "license_scan_node.txt" - exit-code: "1" - list-all-pkgs: "false" - trivy-config: trivy.yaml - - name: Check go licenses - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - with: - scan-type: "fs" - scan-ref: "src/go.mod" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" format: "table" - output: "license_scan_go.txt" - exit-code: "1" - list-all-pkgs: "false" - trivy-config: trivy.yaml - - name: Check java licenses - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - if: ${{ steps.check_languages.outputs.uses_java == 'true' }} - with: - scan-type: "fs" - scan-ref: "pom.xml" - severity: "CRITICAL,HIGH" - scanners: "license" - format: "table" - output: "license_scan_java.txt" + output: "license_scan.txt" exit-code: "1" list-all-pkgs: "false" trivy-config: trivy.yaml + version: "0.68.2" + # - name: Check node licenses + # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + # if: ${{ steps.check_languages.outputs.uses_node == 'true' }} + # with: + # scan-type: "fs" + # scan-ref: "package-lock.json" + # severity: "CRITICAL,HIGH" + # scanners: "license" + # format: "table" + # output: "license_scan_node.txt" + # exit-code: "1" + # list-all-pkgs: "false" + # trivy-config: trivy.yaml + # - name: Check go licenses + # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + # if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + # with: + # scan-type: "fs" + # scan-ref: "src/go.mod" + # severity: "CRITICAL,HIGH" + # scanners: "license" + # format: "table" + # output: "license_scan_go.txt" + # exit-code: "1" + # list-all-pkgs: "false" + # trivy-config: trivy.yaml + # - name: Check java licenses + # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + # if: ${{ steps.check_languages.outputs.uses_java == 'true' }} + # with: + # scan-type: "fs" + # scan-ref: "pom.xml" + # severity: "CRITICAL,HIGH" + # scanners: "license" + # format: "table" + # output: "license_scan_java.txt" + # exit-code: "1" + # list-all-pkgs: "false" + # trivy-config: trivy.yaml - name: Show license scan output if: always() run: | - if [ -f license_scan_python.txt ]; then - cat license_scan_python.txt - fi - if [ -f license_scan_node.txt ]; then - cat license_scan_node.txt - fi - if [ -f license_scan_go.txt ]; then - cat license_scan_go.txt - fi - if [ -f license_scan_java.txt ]; then - cat license_scan_java.txt - fi + cat license_scan.txt - name: Run code lint run: make lint From cf701fc34d6e026fc9c7e81c16dd97ae856ea4db Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 14:52:23 +0000 Subject: [PATCH 16/37] use v --- .github/workflows/quality-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 5aac093..d1b377a 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -186,7 +186,7 @@ jobs: exit-code: "1" list-all-pkgs: "false" trivy-config: trivy.yaml - version: "0.68.2" + version: "v0.68.2" # - name: Check node licenses # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # if: ${{ steps.check_languages.outputs.uses_node == 'true' }} From ccaad712b77aa7cac8fa8da064397249b04ae87b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 14:55:54 +0000 Subject: [PATCH 17/37] single job for sbom --- .github/workflows/quality-checks.yml | 89 ++++++++++++---------------- 1 file changed, 39 insertions(+), 50 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index d1b377a..8f57a46 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -249,68 +249,57 @@ jobs: - name: Run unit tests run: make test - - name: Generate and check python SBOMs + - name: Generate and check SBOMs if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - scan-ref: "poetry.lock" - severity: "CRITICAL,HIGH" - scanners: "vuln" - format: "table" - output: "dependency_results_python.txt" - exit-code: "1" - trivy-config: trivy.yaml - - name: Generate and check node SBOMs - if: ${{ steps.check_languages.outputs.uses_node == 'true' }} - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - with: - scan-type: "fs" - scan-ref: "package-lock.json" - severity: "CRITICAL,HIGH" - scanners: "vuln" - format: "table" - output: "dependency_results_node.txt" - exit-code: "1" - trivy-config: trivy.yaml - - name: Generate and check java SBOMs - if: ${{ steps.check_languages.outputs.uses_java == 'true' }} - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - with: - scan-type: "fs" - scan-ref: "pom.xml" - severity: "CRITICAL,HIGH" - scanners: "vuln" - format: "table" - output: "dependency_results_java.txt" - exit-code: "1" - - name: Generate and check golang SBOMs - if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - with: - scan-type: "fs" - scan-ref: "src/go.mod" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "vuln" format: "table" - output: "dependency_results_go.txt" + output: "dependency_results.txt" exit-code: "1" trivy-config: trivy.yaml + # - name: Generate and check node SBOMs + # if: ${{ steps.check_languages.outputs.uses_node == 'true' }} + # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + # with: + # scan-type: "fs" + # scan-ref: "package-lock.json" + # severity: "CRITICAL,HIGH" + # scanners: "vuln" + # format: "table" + # output: "dependency_results_node.txt" + # exit-code: "1" + # trivy-config: trivy.yaml + # - name: Generate and check java SBOMs + # if: ${{ steps.check_languages.outputs.uses_java == 'true' }} + # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + # with: + # scan-type: "fs" + # scan-ref: "pom.xml" + # severity: "CRITICAL,HIGH" + # scanners: "vuln" + # format: "table" + # output: "dependency_results_java.txt" + # exit-code: "1" + # - name: Generate and check golang SBOMs + # if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + # with: + # scan-type: "fs" + # scan-ref: "src/go.mod" + # severity: "CRITICAL,HIGH" + # scanners: "vuln" + # format: "table" + # output: "dependency_results_go.txt" + # exit-code: "1" + # trivy-config: trivy.yaml - name: Show scan output if: always() run: | - if [ -f dependency_results_python.txt ]; then - cat dependency_results_python.txt - fi - if [ -f dependency_results_node.txt ]; then - cat dependency_results_node.txt - fi - if [ -f dependency_results_java.txt ]; then - cat dependency_results_java.txt - fi - if [ -f dependency_results_go.txt ]; then - cat dependency_results_go.txt - fi + cat dependency_results.txt - name: "check is SONAR_TOKEN exists" env: super_secret: ${{ secrets.SONAR_TOKEN }} From 88630c7b29566b99da9f3217fc7ddfc1805e5eff Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 14:59:49 +0000 Subject: [PATCH 18/37] individual scans --- .github/workflows/quality-checks.yml | 183 +++++++++++++++------------ 1 file changed, 102 insertions(+), 81 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 8f57a46..5548010 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -182,54 +182,64 @@ jobs: severity: "CRITICAL,HIGH" scanners: "license" format: "table" - output: "license_scan.txt" + output: "license_scan_python.txt" + exit-code: "1" + list-all-pkgs: "false" + trivy-config: trivy.yaml + - name: Check node licenses + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + if: ${{ steps.check_languages.outputs.uses_node == 'true' }} + with: + scan-type: "fs" + scan-ref: "package-lock.json" + severity: "CRITICAL,HIGH" + scanners: "license" + format: "table" + output: "license_scan_node.txt" + exit-code: "1" + list-all-pkgs: "false" + trivy-config: trivy.yaml + - name: Check go licenses + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + with: + scan-type: "fs" + scan-ref: "src/go.mod" + severity: "CRITICAL,HIGH" + scanners: "license" + format: "table" + output: "license_scan_go.txt" + exit-code: "1" + list-all-pkgs: "false" + trivy-config: trivy.yaml + - name: Check java licenses + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + if: ${{ steps.check_languages.outputs.uses_java == 'true' }} + with: + scan-type: "fs" + scan-ref: "pom.xml" + severity: "CRITICAL,HIGH" + scanners: "license" + format: "table" + output: "license_scan_java.txt" exit-code: "1" list-all-pkgs: "false" trivy-config: trivy.yaml - version: "v0.68.2" - # - name: Check node licenses - # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - # if: ${{ steps.check_languages.outputs.uses_node == 'true' }} - # with: - # scan-type: "fs" - # scan-ref: "package-lock.json" - # severity: "CRITICAL,HIGH" - # scanners: "license" - # format: "table" - # output: "license_scan_node.txt" - # exit-code: "1" - # list-all-pkgs: "false" - # trivy-config: trivy.yaml - # - name: Check go licenses - # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - # if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - # with: - # scan-type: "fs" - # scan-ref: "src/go.mod" - # severity: "CRITICAL,HIGH" - # scanners: "license" - # format: "table" - # output: "license_scan_go.txt" - # exit-code: "1" - # list-all-pkgs: "false" - # trivy-config: trivy.yaml - # - name: Check java licenses - # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - # if: ${{ steps.check_languages.outputs.uses_java == 'true' }} - # with: - # scan-type: "fs" - # scan-ref: "pom.xml" - # severity: "CRITICAL,HIGH" - # scanners: "license" - # format: "table" - # output: "license_scan_java.txt" - # exit-code: "1" - # list-all-pkgs: "false" - # trivy-config: trivy.yaml - name: Show license scan output if: always() run: | - cat license_scan.txt + if [ -f license_scan_python.txt ]; then + cat license_scan_python.txt + fi + if [ -f license_scan_node.txt ]; then + cat license_scan_node.txt + fi + if [ -f license_scan_go.txt ]; then + cat license_scan_go.txt + fi + if [ -f license_scan_java.txt ]; then + cat license_scan_java.txt + fi - name: Run code lint run: make lint @@ -249,57 +259,68 @@ jobs: - name: Run unit tests run: make test - - name: Generate and check SBOMs + - name: Generate and check python SBOMs if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - scan-ref: "." + scan-ref: "poetry.lock" severity: "CRITICAL,HIGH" scanners: "vuln" format: "table" - output: "dependency_results.txt" + output: "dependency_results_python.txt" + exit-code: "1" + trivy-config: trivy.yaml + - name: Generate and check node SBOMs + if: ${{ steps.check_languages.outputs.uses_node == 'true' }} + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "fs" + scan-ref: "package-lock.json" + severity: "CRITICAL,HIGH" + scanners: "vuln" + format: "table" + output: "dependency_results_node.txt" + exit-code: "1" + trivy-config: trivy.yaml + - name: Generate and check java SBOMs + if: ${{ steps.check_languages.outputs.uses_java == 'true' }} + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "fs" + scan-ref: "pom.xml" + severity: "CRITICAL,HIGH" + scanners: "vuln" + format: "table" + output: "dependency_results_java.txt" + exit-code: "1" + - name: Generate and check golang SBOMs + if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "fs" + scan-ref: "src/go.mod" + severity: "CRITICAL,HIGH" + scanners: "vuln" + format: "table" + output: "dependency_results_go.txt" exit-code: "1" trivy-config: trivy.yaml - # - name: Generate and check node SBOMs - # if: ${{ steps.check_languages.outputs.uses_node == 'true' }} - # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - # with: - # scan-type: "fs" - # scan-ref: "package-lock.json" - # severity: "CRITICAL,HIGH" - # scanners: "vuln" - # format: "table" - # output: "dependency_results_node.txt" - # exit-code: "1" - # trivy-config: trivy.yaml - # - name: Generate and check java SBOMs - # if: ${{ steps.check_languages.outputs.uses_java == 'true' }} - # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - # with: - # scan-type: "fs" - # scan-ref: "pom.xml" - # severity: "CRITICAL,HIGH" - # scanners: "vuln" - # format: "table" - # output: "dependency_results_java.txt" - # exit-code: "1" - # - name: Generate and check golang SBOMs - # if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - # with: - # scan-type: "fs" - # scan-ref: "src/go.mod" - # severity: "CRITICAL,HIGH" - # scanners: "vuln" - # format: "table" - # output: "dependency_results_go.txt" - # exit-code: "1" - # trivy-config: trivy.yaml - name: Show scan output if: always() run: | - cat dependency_results.txt + if [ -f dependency_results_python.txt ]; then + cat dependency_results_python.txt + fi + if [ -f dependency_results_node.txt ]; then + cat dependency_results_node.txt + fi + if [ -f dependency_results_java.txt ]; then + cat dependency_results_java.txt + fi + if [ -f dependency_results_go.txt ]; then + cat dependency_results_go.txt + fi - name: "check is SONAR_TOKEN exists" env: super_secret: ${{ secrets.SONAR_TOKEN }} From 23f04f06311689ffc9541fa37eb475e7df9d9f88 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 15:02:11 +0000 Subject: [PATCH 19/37] individual scans --- .github/workflows/quality-checks.yml | 4 ++-- trivy.yaml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 trivy.yaml diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 5548010..cc75419 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -173,12 +173,12 @@ jobs: pkg: include-dev-deps: true EOF - - name: Check licenses + - name: Check python licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} with: scan-type: "fs" - scan-ref: "." + scan-ref: "poetry.lock" severity: "CRITICAL,HIGH" scanners: "license" format: "table" diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..8ffd67f --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,2 @@ +pkg: + include-dev-deps: true From eb20f0fb4a1cf77e0d3ca0a2c57d3c3872dd4e9b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 15:07:01 +0000 Subject: [PATCH 20/37] use yq --- .github/workflows/quality-checks.yml | 10 +++++----- trivy.yaml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index cc75419..c01ba4b 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -168,11 +168,11 @@ jobs: echo "****************" echo "uses_go=false" >> "$GITHUB_OUTPUT" fi - # Create trivy config to include dev dependencies - cat <> trivy.yaml - pkg: - include-dev-deps: true - EOF + touch trivy.yaml + - name: Update trivy config to include dev dependencies + uses: mikefarah/yq@065b200af9851db0d5132f50bc10b1406ea5c0a8 + with: + cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' - name: Check python licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} diff --git a/trivy.yaml b/trivy.yaml index 8ffd67f..f0359e5 100644 --- a/trivy.yaml +++ b/trivy.yaml @@ -1,2 +1,2 @@ pkg: - include-dev-deps: true + include-dev-deps: false From f863c25a814fe1c7ee1aeca9ec040672e8eca0b6 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 16:28:45 +0000 Subject: [PATCH 21/37] really check files --- .github/workflows/quality-checks.yml | 30 ++++++++++++++++++---------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index c01ba4b..fd2d2c6 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -178,7 +178,8 @@ jobs: if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} with: scan-type: "fs" - scan-ref: "poetry.lock" + skip-files: "**/package-lock.json,**/go.sum,**/pom.xml" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" format: "table" @@ -191,7 +192,8 @@ jobs: if: ${{ steps.check_languages.outputs.uses_node == 'true' }} with: scan-type: "fs" - scan-ref: "package-lock.json" + skip-files: "**/poetry.lock,**/go.sum,**/pom.xml" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" format: "table" @@ -204,7 +206,8 @@ jobs: if: ${{ steps.check_languages.outputs.uses_go == 'true' }} with: scan-type: "fs" - scan-ref: "src/go.mod" + skip-files: "**/poetry.lock,**/package-lock.json,**/pom.xml" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" format: "table" @@ -217,7 +220,8 @@ jobs: if: ${{ steps.check_languages.outputs.uses_java == 'true' }} with: scan-type: "fs" - scan-ref: "pom.xml" + skip-files: "**/poetry.lock,**/package-lock.json,**/go.sum" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" format: "table" @@ -264,7 +268,8 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - scan-ref: "poetry.lock" + skip-files: "**/package-lock.json,**/go.sum,**/pom.xml" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "vuln" format: "table" @@ -276,30 +281,33 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - scan-ref: "package-lock.json" + skip-files: "**/poetry.lock,**/go.sum,**/pom.xml" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "vuln" format: "table" output: "dependency_results_node.txt" exit-code: "1" trivy-config: trivy.yaml - - name: Generate and check java SBOMs + - name: Generate and check go SBOMs if: ${{ steps.check_languages.outputs.uses_java == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - scan-ref: "pom.xml" + skip-files: "**/poetry.lock,**/package-lock.json,**/pom.xml" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "vuln" format: "table" - output: "dependency_results_java.txt" + output: "dependency_results_go.txt" exit-code: "1" - - name: Generate and check golang SBOMs + - name: Generate and check java SBOMs if: ${{ steps.check_languages.outputs.uses_go == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - scan-ref: "src/go.mod" + skip-files: "**/poetry.lock,**/package-lock.json,**/go.sum" + scan-ref: "." severity: "CRITICAL,HIGH" scanners: "vuln" format: "table" From f059796e60856e2b83eba41942899b6dd1e8ba71 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 16:38:52 +0000 Subject: [PATCH 22/37] create requirements for licence scan --- .github/workflows/quality-checks.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index fd2d2c6..3e4b446 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -173,12 +173,17 @@ jobs: uses: mikefarah/yq@065b200af9851db0d5132f50bc10b1406ea5c0a8 with: cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml' + - name: convert python dependencies to requirements.txt + if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} + run: | + poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt + cat requirements.txt - name: Check python licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} with: scan-type: "fs" - skip-files: "**/package-lock.json,**/go.sum,**/pom.xml" + skip-files: "**/package-lock.json,**/go.sum,**/pom.xml,**/poetry.lock" scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" @@ -187,6 +192,10 @@ jobs: exit-code: "1" list-all-pkgs: "false" trivy-config: trivy.yaml + - name: remove requirements.txt + if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} + run: | + rm -f requirements.txt - name: Check node licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_node == 'true' }} From 77e21fcab3df7d33eea083596a82caff5a250357 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 16:40:51 +0000 Subject: [PATCH 23/37] update --- .github/workflows/quality-checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 3e4b446..b3d83ed 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -176,6 +176,7 @@ jobs: - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} run: | + poetry self add poetry-plugin-export poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt cat requirements.txt - name: Check python licenses From 7c3d681623f83ef998bc13be85d4139a5a15f6fc Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 16:44:57 +0000 Subject: [PATCH 24/37] set venv --- .github/workflows/quality-checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index b3d83ed..cb21729 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -193,6 +193,8 @@ jobs: exit-code: "1" list-all-pkgs: "false" trivy-config: trivy.yaml + env: + VENV_DIR: ".venv" - name: remove requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} run: | From c1d38f0294e6528ce5d34a32fb733c6cb85f0ab7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 16:49:43 +0000 Subject: [PATCH 25/37] add TRIVY --- .github/workflows/quality-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index cb21729..ee0fd2c 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -194,7 +194,7 @@ jobs: list-all-pkgs: "false" trivy-config: trivy.yaml env: - VENV_DIR: ".venv" + TRIVY_VENV_DIR: ".venv" - name: remove requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} run: | From 18cbb42b9e3901a45788ced6ac21963b1d02c2a6 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 16:54:16 +0000 Subject: [PATCH 26/37] try / --- .github/workflows/quality-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index ee0fd2c..2b7a888 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -194,7 +194,7 @@ jobs: list-all-pkgs: "false" trivy-config: trivy.yaml env: - TRIVY_VENV_DIR: ".venv" + TRIVY_VENV_DIR: "./.venv/" - name: remove requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} run: | From 5eab08ca23d2be651a8c9a8fca7a2ca3f58b4f76 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 17:00:43 +0000 Subject: [PATCH 27/37] add path to venv --- .github/workflows/quality-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 2b7a888..957cb01 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -194,7 +194,7 @@ jobs: list-all-pkgs: "false" trivy-config: trivy.yaml env: - TRIVY_VENV_DIR: "./.venv/" + VENV_DIR: "./.venv/" - name: remove requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} run: | From f607a1bfd4260c34eb00f0fe8658c82606630419 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 17:24:45 +0000 Subject: [PATCH 28/37] use VIRTUAL_ENV --- .github/workflows/quality-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 957cb01..c362c28 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -194,7 +194,7 @@ jobs: list-all-pkgs: "false" trivy-config: trivy.yaml env: - VENV_DIR: "./.venv/" + VIRTUAL_ENV: "./.venv/" - name: remove requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} run: | From 6206fbeb93415932642559d3550011ad3c8fab90 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 17:46:56 +0000 Subject: [PATCH 29/37] only install export as needed --- .github/workflows/quality-checks.yml | 32 +++++++++++++++++----------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index c362c28..7919ba6 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -176,23 +176,29 @@ jobs: - name: convert python dependencies to requirements.txt if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} run: | - poetry self add poetry-plugin-export + POETRY_VERSION=$(poetry --version | awk '{print $3}') + + if [[ "$(printf '%s\n' "2.0.0" "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "2.0.0" ]] \ + && [[ "$(printf '%s\n' "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "$POETRY_VERSION" ]]; then + echo "Poetry version $POETRY_VERSION is >=2.0.0 and <3.0.0 - installing plugin-export" + poetry self add poetry-plugin-export + else + echo "Poetry version $POETRY_VERSION is outside the required range so not installing plugin-export" + fi poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt cat requirements.txt - name: Check python licenses - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - with: - scan-type: "fs" - skip-files: "**/package-lock.json,**/go.sum,**/pom.xml,**/poetry.lock" - scan-ref: "." - severity: "CRITICAL,HIGH" - scanners: "license" - format: "table" - output: "license_scan_python.txt" - exit-code: "1" - list-all-pkgs: "false" - trivy-config: trivy.yaml + run: | + trivy fs \ + --skip-files "**/package-lock.json,**/go.sum,**/pom.xml" \ + --severity CRITICAL,HIGH \ + --scanners license \ + --format table \ + --output license_scan_python.txt \ + --exit-code 1 \ + --config trivy.yaml \ + . env: VIRTUAL_ENV: "./.venv/" - name: remove requirements.txt From 2942086ff045606277c475a333e1cf6f1fd79c69 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 17:53:06 +0000 Subject: [PATCH 30/37] revert change --- .github/workflows/quality-checks.yml | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 7919ba6..c89cd62 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -186,19 +186,20 @@ jobs: echo "Poetry version $POETRY_VERSION is outside the required range so not installing plugin-export" fi poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - cat requirements.txt - name: Check python licenses + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} - run: | - trivy fs \ - --skip-files "**/package-lock.json,**/go.sum,**/pom.xml" \ - --severity CRITICAL,HIGH \ - --scanners license \ - --format table \ - --output license_scan_python.txt \ - --exit-code 1 \ - --config trivy.yaml \ - . + with: + scan-type: "fs" + skip-files: "**/poetry.lock,**/go.sum,**/pom.xml,**/package-lock.json" + scan-ref: "." + severity: "CRITICAL,HIGH" + scanners: "license" + format: "table" + output: "license_scan_python.txt" + exit-code: "1" + list-all-pkgs: "false" + trivy-config: trivy.yaml env: VIRTUAL_ENV: "./.venv/" - name: remove requirements.txt From e51ca0cece3b260dfde7e1ac56595f6e37d18052 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 18:33:17 +0000 Subject: [PATCH 31/37] fix java --- .github/workflows/quality-checks.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index c89cd62..4077726 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -309,7 +309,7 @@ jobs: exit-code: "1" trivy-config: trivy.yaml - name: Generate and check go SBOMs - if: ${{ steps.check_languages.outputs.uses_java == 'true' }} + if: ${{ steps.check_languages.outputs.uses_go == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" @@ -321,7 +321,7 @@ jobs: output: "dependency_results_go.txt" exit-code: "1" - name: Generate and check java SBOMs - if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + if: ${{ steps.check_languages.outputs.uses_java == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" @@ -330,7 +330,7 @@ jobs: severity: "CRITICAL,HIGH" scanners: "vuln" format: "table" - output: "dependency_results_go.txt" + output: "dependency_results_java.txt" exit-code: "1" trivy-config: trivy.yaml - name: Show scan output From 99cc5bb725f7f8006b0db81bbb428192b75a93ff Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 6 Jan 2026 19:14:17 +0000 Subject: [PATCH 32/37] fix go --- .github/workflows/quality-checks.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 4077726..f7a576d 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -191,7 +191,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} with: scan-type: "fs" - skip-files: "**/poetry.lock,**/go.sum,**/pom.xml,**/package-lock.json" + skip-files: "**/poetry.lock,**/go.mod,**/pom.xml,**/package-lock.json" scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" @@ -211,7 +211,7 @@ jobs: if: ${{ steps.check_languages.outputs.uses_node == 'true' }} with: scan-type: "fs" - skip-files: "**/poetry.lock,**/go.sum,**/pom.xml" + skip-files: "**/poetry.lock,**/go.mod,**/pom.xml" scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" @@ -220,6 +220,11 @@ jobs: exit-code: "1" list-all-pkgs: "false" trivy-config: trivy.yaml + - name: download go dependencies + if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + run: | + cd src + go mod vendor - name: Check go licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_go == 'true' }} @@ -234,12 +239,17 @@ jobs: exit-code: "1" list-all-pkgs: "false" trivy-config: trivy.yaml + - name: clean go dependencies + if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + run: | + cd src + rm -rf vendor - name: Check java licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 if: ${{ steps.check_languages.outputs.uses_java == 'true' }} with: scan-type: "fs" - skip-files: "**/poetry.lock,**/package-lock.json,**/go.sum" + skip-files: "**/poetry.lock,**/package-lock.json,**/go.mod" scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" @@ -287,7 +297,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - skip-files: "**/package-lock.json,**/go.sum,**/pom.xml" + skip-files: "**/package-lock.json,**/go.mod,**/pom.xml" scan-ref: "." severity: "CRITICAL,HIGH" scanners: "vuln" @@ -300,7 +310,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - skip-files: "**/poetry.lock,**/go.sum,**/pom.xml" + skip-files: "**/poetry.lock,**/go.mod,**/pom.xml" scan-ref: "." severity: "CRITICAL,HIGH" scanners: "vuln" @@ -325,7 +335,7 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: scan-type: "fs" - skip-files: "**/poetry.lock,**/package-lock.json,**/go.sum" + skip-files: "**/poetry.lock,**/package-lock.json,**/go.mod" scan-ref: "." severity: "CRITICAL,HIGH" scanners: "vuln" From 11ca9c978448efd5303fecd66402ffc78d7c190f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 07:52:18 +0000 Subject: [PATCH 33/37] one licence scan --- .github/workflows/quality-checks.yml | 72 ++++------------------------ 1 file changed, 9 insertions(+), 63 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index f7a576d..5dd3760 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -186,17 +186,20 @@ jobs: echo "Poetry version $POETRY_VERSION is outside the required range so not installing plugin-export" fi poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt - - name: Check python licenses + - name: download go dependencies + if: ${{ steps.check_languages.outputs.uses_go == 'true' }} + run: | + cd src + go mod vendor + - name: Check licenses uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} with: scan-type: "fs" - skip-files: "**/poetry.lock,**/go.mod,**/pom.xml,**/package-lock.json" scan-ref: "." severity: "CRITICAL,HIGH" scanners: "license" format: "table" - output: "license_scan_python.txt" + output: "license_scan.txt" exit-code: "1" list-all-pkgs: "false" trivy-config: trivy.yaml @@ -206,74 +209,17 @@ jobs: if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} run: | rm -f requirements.txt - - name: Check node licenses - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - if: ${{ steps.check_languages.outputs.uses_node == 'true' }} - with: - scan-type: "fs" - skip-files: "**/poetry.lock,**/go.mod,**/pom.xml" - scan-ref: "." - severity: "CRITICAL,HIGH" - scanners: "license" - format: "table" - output: "license_scan_node.txt" - exit-code: "1" - list-all-pkgs: "false" - trivy-config: trivy.yaml - - name: download go dependencies - if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - run: | - cd src - go mod vendor - - name: Check go licenses - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - if: ${{ steps.check_languages.outputs.uses_go == 'true' }} - with: - scan-type: "fs" - skip-files: "**/poetry.lock,**/package-lock.json,**/pom.xml" - scan-ref: "." - severity: "CRITICAL,HIGH" - scanners: "license" - format: "table" - output: "license_scan_go.txt" - exit-code: "1" - list-all-pkgs: "false" - trivy-config: trivy.yaml - name: clean go dependencies if: ${{ steps.check_languages.outputs.uses_go == 'true' }} run: | cd src rm -rf vendor - - name: Check java licenses - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 - if: ${{ steps.check_languages.outputs.uses_java == 'true' }} - with: - scan-type: "fs" - skip-files: "**/poetry.lock,**/package-lock.json,**/go.mod" - scan-ref: "." - severity: "CRITICAL,HIGH" - scanners: "license" - format: "table" - output: "license_scan_java.txt" - exit-code: "1" - list-all-pkgs: "false" - trivy-config: trivy.yaml - name: Show license scan output if: always() run: | - if [ -f license_scan_python.txt ]; then - cat license_scan_python.txt - fi - if [ -f license_scan_node.txt ]; then - cat license_scan_node.txt + if [ -f license_scan.txt ]; then + cat license_scan.txt fi - if [ -f license_scan_go.txt ]; then - cat license_scan_go.txt - fi - if [ -f license_scan_java.txt ]; then - cat license_scan_java.txt - fi - - name: Run code lint run: make lint From aa788ed0430e5d032f1c6bcc54167fa1a8d3725e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 08:12:28 +0000 Subject: [PATCH 34/37] generate sbom --- .github/workflows/quality-checks.yml | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 5dd3760..65f5b1e 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -238,7 +238,23 @@ jobs: - name: Run unit tests run: make test - - name: Generate and check python SBOMs + - name: Generate SBOM + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "fs" + scan-ref: "." + scanners: "vuln" + format: "spdx-json" + output: "sbom.cdx.json" + exit-code: "0" + trivy-config: trivy.yaml + - name: Upload sbom + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + with: + name: sbom.cdx.json + path: sbom.cdx.json + + - name: Check python vulnerabilities if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -251,7 +267,7 @@ jobs: output: "dependency_results_python.txt" exit-code: "1" trivy-config: trivy.yaml - - name: Generate and check node SBOMs + - name: Check node vulnerabilities if: ${{ steps.check_languages.outputs.uses_node == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -264,7 +280,7 @@ jobs: output: "dependency_results_node.txt" exit-code: "1" trivy-config: trivy.yaml - - name: Generate and check go SBOMs + - name: Check go vulnerabilities if: ${{ steps.check_languages.outputs.uses_go == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -276,7 +292,7 @@ jobs: format: "table" output: "dependency_results_go.txt" exit-code: "1" - - name: Generate and check java SBOMs + - name: Check java vulnerabilities if: ${{ steps.check_languages.outputs.uses_java == 'true' }} uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -289,7 +305,7 @@ jobs: output: "dependency_results_java.txt" exit-code: "1" trivy-config: trivy.yaml - - name: Show scan output + - name: Show vulnerability output if: always() run: | if [ -f dependency_results_python.txt ]; then From fc616c987673a6dcd12cdf5a742e009c1697e283 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 09:19:38 +0000 Subject: [PATCH 35/37] remove trivy config --- trivy.yaml | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 trivy.yaml diff --git a/trivy.yaml b/trivy.yaml deleted file mode 100644 index f0359e5..0000000 --- a/trivy.yaml +++ /dev/null @@ -1,2 +0,0 @@ -pkg: - include-dev-deps: false From 98a4e3698ceb20e09441c0e358f849ebcf602b2b Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 09:59:36 +0000 Subject: [PATCH 36/37] correct sbom filename --- .github/workflows/quality-checks.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 65f5b1e..1df1131 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -245,14 +245,14 @@ jobs: scan-ref: "." scanners: "vuln" format: "spdx-json" - output: "sbom.cdx.json" + output: "sbom.spdx.json" exit-code: "0" trivy-config: trivy.yaml - name: Upload sbom uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: - name: sbom.cdx.json - path: sbom.cdx.json + name: sbom.spdx.json + path: sbom.spdx.json - name: Check python vulnerabilities if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }} From 24b7981189ffa1c20bbeee1cad5e65192f5d5298 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 7 Jan 2026 10:21:32 +0000 Subject: [PATCH 37/37] use cyclonedx --- .github/workflows/quality-checks.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 1df1131..3475057 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -244,15 +244,15 @@ jobs: scan-type: "fs" scan-ref: "." scanners: "vuln" - format: "spdx-json" - output: "sbom.spdx.json" + format: "cyclonedx" + output: "sbom.cdx.json" exit-code: "0" trivy-config: trivy.yaml - name: Upload sbom uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: - name: sbom.spdx.json - path: sbom.spdx.json + name: sbom.cdx.json + path: sbom.cdx.json - name: Check python vulnerabilities if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }}