chore: Add SBOM vulnerability scans BED-8648#2950
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds a new GitHub Actions workflow that generates an SPDX JSON SBOM via ChangesVulnerability Scanning Setup
Estimated code review effort: 1 (Trivial) | ~5 minutes Sequence Diagram(s)sequenceDiagram
participant PullRequest
participant GitHubActions
participant SbomAction
participant ScanAction
PullRequest->>GitHubActions: trigger on opened, synchronize, reopened
GitHubActions->>SbomAction: generate SPDX JSON SBOM using .syft.yaml
SbomAction->>ScanAction: pass generated SBOM
ScanAction->>GitHubActions: report CVEs with critical, only-fixed filters
Suggested labels: ci, security Suggested reviewers: maintainers Poem: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/vulnerability-scans.yml (1)
30-31: 🚀 Performance & Scalability | 🔵 Trivial | 💤 Low valueNo
timeout-minutesset on the job.If
sbom-action/scan-actionhang (e.g. on DB download), the job falls back to GitHub's default 6-hour timeout, wasting runner minutes. Consider adding an explicittimeout-minutesbound.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/vulnerability-scans.yml around lines 30 - 31, The scan job is missing an explicit timeout, so add a bounded timeout to the scan-sbom-file job in the vulnerability-scans workflow. Update the job definition alongside runs-on by setting timeout-minutes on scan-sbom-file to prevent sbom-action or scan-action from hanging indefinitely.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/vulnerability-scans.yml:
- Around line 33-34: Add persist-credentials: false to the actions/checkout step
in the vulnerability-scans workflow so the GITHUB_TOKEN is not left in git
config. Update the checkout job entry identified by the actions/checkout step in
the workflow to explicitly disable credential persistence.
- Around line 29-34: The vulnerability-scans workflow is missing an explicit
permissions scope, so `GITHUB_TOKEN` may be broader than needed. Update the
workflow around `scan-sbom-file` to add a minimal `permissions` block at the
workflow or job level, keeping only the access required for `actions/checkout`
and the local scan steps. Use the existing job name and checkout step as the
anchor when making the change.
---
Nitpick comments:
In @.github/workflows/vulnerability-scans.yml:
- Around line 30-31: The scan job is missing an explicit timeout, so add a
bounded timeout to the scan-sbom-file job in the vulnerability-scans workflow.
Update the job definition alongside runs-on by setting timeout-minutes on
scan-sbom-file to prevent sbom-action or scan-action from hanging indefinitely.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: bf35add8-5324-4057-b556-15eb51189f43
📒 Files selected for processing (2)
.github/workflows/vulnerability-scans.yml.syft.yaml
Description
This change adds pull-request vulnerability scanning by generating an
SPDXJSON SBOM withsyftand scanning it usinggrypefor critical CVEs. and addingsyftconfiguration file to excludenode_modulesMotivation and Context
Resolves BED-8648
How Has This Been Tested?
verification with a successful CI execution
Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc.
Screenshots (optional):
Types of changes
Checklist:
Summary by CodeRabbit
mainandstage/**.node_modulesfrom analysis.