Skip to content

chore: Add SBOM vulnerability scans BED-8648#2950

Open
ykaiboussiSO wants to merge 3 commits into
mainfrom
BED-8648
Open

chore: Add SBOM vulnerability scans BED-8648#2950
ykaiboussiSO wants to merge 3 commits into
mainfrom
BED-8648

Conversation

@ykaiboussiSO

@ykaiboussiSO ykaiboussiSO commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Description

This change adds pull-request vulnerability scanning by generating an SPDX JSON SBOM with syft and scanning it using grype for critical CVEs. and adding syft configuration file to exclude node_modules

Motivation and Context

Resolves BED-8648

How Has This Been Tested?

verification with a successful CI execution
Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc.

Screenshots (optional):

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Database Migrations

Checklist:

Summary by CodeRabbit

  • New Features
    • Added an automated security workflow that runs on pull requests targeting main and stage/**.
    • Generates an SPDX JSON SBOM and scans it for critical vulnerabilities that have been fixed.
    • Added scanning rules to exclude node_modules from analysis.

@ykaiboussiSO ykaiboussiSO self-assigned this Jul 1, 2026
@ykaiboussiSO ykaiboussiSO added the tooling This updates developer tooling label Jul 1, 2026
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: bfedcedb-bcc2-4ced-90f0-7125ce407bf6

📥 Commits

Reviewing files that changed from the base of the PR and between a6c2b8a and 4d6abad.

📒 Files selected for processing (1)
  • .github/workflows/vulnerability-scans.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/vulnerability-scans.yml

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow that generates an SPDX JSON SBOM via anchore/sbom-action and scans it with anchore/scan-action on pull requests to main and stage/**. Also adds a .syft.yaml file that excludes ./node_modules/** from Syft scanning.

Changes

Vulnerability Scanning Setup

Layer / File(s) Summary
Workflow trigger and job definition
.github/workflows/vulnerability-scans.yml
New workflow triggered on pull_request events (opened, synchronize, reopened) for main and stage/**; checks out the repository, generates an SPDX JSON SBOM via anchore/sbom-action using .syft.yaml, then scans the SBOM via anchore/scan-action with by-cve: true, severity-cutoff: critical, and only-fixed: true.
Syft scan configuration
.syft.yaml
New Syft configuration file with an Apache 2.0 header excluding ./node_modules/** from scanning.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Sequence Diagram(s)

sequenceDiagram
  participant PullRequest
  participant GitHubActions
  participant SbomAction
  participant ScanAction
  PullRequest->>GitHubActions: trigger on opened, synchronize, reopened
  GitHubActions->>SbomAction: generate SPDX JSON SBOM using .syft.yaml
  SbomAction->>ScanAction: pass generated SBOM
  ScanAction->>GitHubActions: report CVEs with critical, only-fixed filters
Loading

Suggested labels: ci, security

Suggested reviewers: maintainers

Poem:
A workflow scans what PRs may hide,
With SBOM output and CVE guide,
node_modules stay out of sight,
Critical-only checks run tight,
A small security step, precise and light.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding SBOM vulnerability scans.
Description check ✅ Passed The description includes the required sections, ticket, testing notes, and checklist, so it is mostly complete.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch BED-8648

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@ykaiboussiSO ykaiboussiSO marked this pull request as ready for review July 1, 2026 18:55

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
.github/workflows/vulnerability-scans.yml (1)

30-31: 🚀 Performance & Scalability | 🔵 Trivial | 💤 Low value

No timeout-minutes set on the job.

If sbom-action/scan-action hang (e.g. on DB download), the job falls back to GitHub's default 6-hour timeout, wasting runner minutes. Consider adding an explicit timeout-minutes bound.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/vulnerability-scans.yml around lines 30 - 31, The scan job
is missing an explicit timeout, so add a bounded timeout to the scan-sbom-file
job in the vulnerability-scans workflow. Update the job definition alongside
runs-on by setting timeout-minutes on scan-sbom-file to prevent sbom-action or
scan-action from hanging indefinitely.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/vulnerability-scans.yml:
- Around line 33-34: Add persist-credentials: false to the actions/checkout step
in the vulnerability-scans workflow so the GITHUB_TOKEN is not left in git
config. Update the checkout job entry identified by the actions/checkout step in
the workflow to explicitly disable credential persistence.
- Around line 29-34: The vulnerability-scans workflow is missing an explicit
permissions scope, so `GITHUB_TOKEN` may be broader than needed. Update the
workflow around `scan-sbom-file` to add a minimal `permissions` block at the
workflow or job level, keeping only the access required for `actions/checkout`
and the local scan steps. Use the existing job name and checkout step as the
anchor when making the change.

---

Nitpick comments:
In @.github/workflows/vulnerability-scans.yml:
- Around line 30-31: The scan job is missing an explicit timeout, so add a
bounded timeout to the scan-sbom-file job in the vulnerability-scans workflow.
Update the job definition alongside runs-on by setting timeout-minutes on
scan-sbom-file to prevent sbom-action or scan-action from hanging indefinitely.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: bf35add8-5324-4057-b556-15eb51189f43

📥 Commits

Reviewing files that changed from the base of the PR and between aa6e331 and a6c2b8a.

📒 Files selected for processing (2)
  • .github/workflows/vulnerability-scans.yml
  • .syft.yaml

Comment thread .github/workflows/vulnerability-scans.yml
Comment thread .github/workflows/vulnerability-scans.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

tooling This updates developer tooling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant