Skip to content

Commit e904ac9

Browse files
ci: run secscan on release for security scanning and SBOM generation (#196)
When the snap is released, use the sbomber tool to run the secscan tool to do security scanning and SBOM generation as per the SSDLC. Heavily based on the same workflow in Pebble. --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 6d63fc2 commit e904ac9

4 files changed

Lines changed: 52 additions & 1 deletion

File tree

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
clients:
2+
sbom:
3+
service_url: https://sbom-request.canonical.com
4+
department: charm_engineering
5+
email: tony.meyer@canonical.com
6+
team: charm_tech
7+
secscan: {}
8+
9+
artifacts:
10+
- name: concierge
11+
type: snap
12+
ssdlc_params:
13+
name: concierge
14+
version: '' # auto-detect (snap store revision)
15+
channel: stable

.github/workflows/release.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -161,3 +161,9 @@ jobs:
161161
env:
162162
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
163163
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.STORE_TOKEN }}
164+
165+
sbom-secscan:
166+
name: SBOM and secscan
167+
needs:
168+
- release
169+
uses: ./.github/workflows/sbom-secscan.yaml
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
name: SBOM and secscan
2+
3+
on:
4+
workflow_call:
5+
workflow_dispatch:
6+
7+
permissions: {}
8+
9+
concurrency:
10+
group: ${{ github.workflow }}-${{ github.ref }}
11+
cancel-in-progress: true
12+
13+
jobs:
14+
scan:
15+
name: SBOM and secscan (snap)
16+
# Self-hosted runner is required for access to the internal SBOM and
17+
# secscan services.
18+
runs-on: [self-hosted, self-hosted-linux-amd64-jammy-private-endpoint-medium]
19+
steps:
20+
- uses: actions/checkout@v6
21+
with:
22+
persist-credentials: false
23+
24+
- name: Run sbomber
25+
# main as of 2026-05-25 -- the sbomber-ref input below should match.
26+
uses: canonical/sbomber/.github/actions/run@cf7a76e810497ec932e8285b2c9d6b373d225e79
27+
with:
28+
manifest: '${{ github.workspace }}/.github/.sbomber-manifest-snap.yaml'
29+
artifact-name: secscan-report-upload-snap
30+
sbomber-ref: cf7a76e810497ec932e8285b2c9d6b373d225e79

CONTRIBUTING.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -111,4 +111,4 @@ To release, simply create a new release in GitHub.
111111
4. Write release notes - start with the draft provided by GitHub, drop the `by @author` credit for anyone in the Charm Tech team (including Copilot and other AI users), and include a short summary of the new features and bug fixes at the top. Leave the link to the full list of commits and any acknowledgement of new contributors.
112112
5. Click "Publish release".
113113
6. Monitor the release [GitHub Action](https://github.com/canonical/concierge/actions) and check that the [snap](https://snapcraft.io/concierge) is uploaded correctly (it will have been published to all risks, including `stable`)
114-
7. Run the appropriate security scan and SBOM generation, as described in the Canonical library's SSDLC process. Upload artifacts to the [SSDLC Concierge folder in Drive](https://drive.google.com/drive/folders/1RtAn7x0EX97C6eV66xs74Pwth3KW7NHI). Open the artifact and verify that the security scan has not found any vulnerabilities.
114+
7. Find the security scan artifact on the corresponding [SBOM and secscan](https://github.com/canonical/concierge/actions/workflows/sbom-secscan.yaml) run, and upload it to the [SSDLC Concierge folder in Drive](https://drive.google.com/drive/folders/1RtAn7x0EX97C6eV66xs74Pwth3KW7NHI?usp=share_link). Open the artifact and verify that the security scan has not found any vulnerabilities.

0 commit comments

Comments
 (0)