Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new GitHub Actions workflow to track project dependencies by generating and uploading Software Bill of Materials (SBOM) to a dependency tracking system. The workflow is configured to run on pushes to main and release branches, as well as manual dispatch.
- Added automated dependency tracking workflow using CycloneDX format
- Configured workflow to trigger on main/release branch pushes and manual dispatch
- Integrated with DependencyTrack for SBOM upload and monitoring
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| - name: Generate SBOM | ||
| run: yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx -o sbom.json | ||
| - name: Upload CycloneDx bom to dependency track | ||
| uses: DependencyTrack/gh-upload-sbom@v3 |
There was a problem hiding this comment.
Using a mutable tag (@V3) for the action reference poses security risks as the tag can be moved to point to different code. Consider pinning to a specific commit SHA or using an immutable tag for better security and reproducibility.
| uses: DependencyTrack/gh-upload-sbom@v3 | |
| uses: DependencyTrack/gh-upload-sbom@e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2 |
| with: | ||
| serverhostname: ${{ secrets.DEPENDENCY_TRACK_SERVER_HOSTNAME }} | ||
| apikey: ${{ secrets.DEPENDENCY_TRACK_API_KEY }} | ||
| project: 'c9e26ece-6f0c-4834-94c3-a20efd1d7fb7' |
There was a problem hiding this comment.
The project UUID is hardcoded in the workflow file. Consider moving this to a repository secret or environment variable to avoid exposing internal project identifiers and improve configuration flexibility across environments.
| project: 'c9e26ece-6f0c-4834-94c3-a20efd1d7fb7' | |
| project: ${{ secrets.DEPENDENCY_TRACK_PROJECT_UUID }} |
sellisd
force-pushed
the
DSE/track_dependencies_PROD-14602
branch
from
20dd4aa to
0bf3825
Compare
No description provided.