Add SBOM capability (#12)

* Fixing for Linux

* Adding SBOM

Dockerfile

@@ -4,8 +4,6 @@ COPY pull-scan.sh /app/
 
 RUN apk add bash curl sudo jq -q
 
-# RUN curl -s -L  https://gist.githubusercontent.com/raphabot/abae09b46c29afc7c3b918b7b8ec2a5c/raw/d87fbede38544d1adf5953fd0ce104e935c3a8dc/tmas-install.sh | bash
-
 RUN OS=Linux && ARCH=x86_64 && VERSION=$(curl -s "https://api.github.com/repos/google/go-containerregistry/releases/latest" | jq -r '.tag_name') && curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz && tar -zxvf go-containerregistry.tar.gz -C /usr/bin/ crane
 
 ENTRYPOINT [ "bash", "/app/pull-scan.sh" ]

README.md

@@ -26,6 +26,7 @@ Add an Action in your `.github/workflow` yml file to scan your image with Trend
       REGION: us-1
 
       # Optional
+      SBOM: true # Saves SBOM to SBOM.json so you can export it as an artifact later.
       IMAGE: alpine # The image need to be public or the pipeline need to have access to the private image of choice.
       LOCAL_IMAGE_TARBALL: image.tar
       # For each threshold below, select the maximum number of vulnerabilities that are acceptable.
@@ -41,13 +42,19 @@ Add an Action in your `.github/workflow` yml file to scan your image with Trend
 
 ## Artifacts (Optional)
 
-Artifacts allow you to share data between jobs in a workflow and store data once that workflow has completed, in this case saving the scan as an artifact allow you to have proof on what happened on past scans. In the example below, you can add an extra action after the scan to keep the result the scan as an artifact for 30 days:
+Artifacts allow you to share data between jobs in a workflow and store data once that workflow has completed, in this case saving the scan result and the container image SBOM as an artifact allow you to have proof on what happened on past scans. In the example below, you can add an extra action after the scan to keep the result the scan as an artifact for 30 days:
 
 ```yaml
-  - name: 'Upload Artifact'
+  - name: 'Upload Scan Result Artifact'
     uses: actions/upload-artifact@v3
     with:
-      name: my-artifact
+      name: scan-result
+      path: result.json
+      retention-days: 30
+  - name: 'Upload SBOM Artifact'
+    uses: actions/upload-artifact@v3
+    with:
+      name: sbom
       path: result.json
       retention-days: 30
 ```

action.yml

@@ -12,6 +12,10 @@ inputs:
     description: "Cloud One Region"
     required: true
     default: "us-1"
+  SBOM:
+    description: "Decide if you want to save the SBOM file for the image. Default is true."
+    required: false
+    default: "true"
   MAX_TOTAL:
     description: "Max total of vulnerabilities acceptable in a images"
     required: false
@@ -57,6 +61,7 @@ runs:
     CLOUD_ONE_API_KEY: ${{ inputs.CLOUD_ONE_API_KEY }}
     IMAGE: ${{ inputs.IMAGE }}
     REGION: ${{ inputs.REGION }}
+    SBOM: ${{ inputs.SBOM }}
     MAX_TOTAL: ${{ inputs.MAX_TOTAL }}
     MAX_CRITICAL: ${{ inputs.MAX_CRITICAL }}
     MAX_HIGH: ${{ inputs.MAX_HIGH }}

pull-scan.sh

@@ -20,7 +20,13 @@ else
 fi
 
 # Scans the image
-tmas scan --endpoint "https://artifactscan.$REGION.cloudone.trendmicro.com" docker-archive:"$IMAGE_TARBALL" > "$SCAN_RESULT_ARTIFACT"
+tmas scan --endpoint "https://artifactscan.$REGION.cloudone.trendmicro.com" docker-archive:"$IMAGE_TARBALL" "$(if [ "$SBOM" = true ]; then echo "--saveSBOM"; fi)" > "$SCAN_RESULT_ARTIFACT"
+
+# If saving SBOM is true
+if [ "$SBOM" = true ]; then
+  # Rename SBOM File to standard name so it can be exported later.
+  mv SBOM_* SBOM.json
+fi
 
 # print the result
 cat "$SCAN_RESULT_ARTIFACT"