From 66a843d50294f12253260d4554f45fe1052439a4 Mon Sep 17 00:00:00 2001 From: syoul Date: Thu, 19 Mar 2026 16:51:43 +0100 Subject: [PATCH] feat: ajout pipeline SBOM (Syft + Trivy + Dependency-Track) - sbom-generate : inventaire CycloneDX des images prestashop:8-apache et mariadb:10.11 via Syft - sbom-scan : scan CVE depuis les SBOM via Trivy (cache /home/syoul/trivy-cache) - sbom-publish : envoi vers dtrack.syoul.fr avec versioning date+commit SHA - .gitignore : ajout /.reports/ Co-Authored-By: Claude Sonnet 4.6 --- .gitignore | 3 ++- .woodpecker.yml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 5e93395..f4f43b7 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,5 @@ /docs-syoul /docs-sonic /plans -.env \ No newline at end of file +.env +/.reports/ \ No newline at end of file diff --git a/.woodpecker.yml b/.woodpecker.yml index bb931bc..9079e47 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -35,6 +35,57 @@ steps: - 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)' - echo "Verifications de securite OK" + # Etape 2b : Generation SBOM (Syft) — inventaire des composants des images Docker + # NOTE: volumes: et from_secret incompatibles dans le meme step — pas de secrets ici + - name: sbom-generate + image: anchore/syft:latest + volumes: + - /var/run/docker.sock:/var/run/docker.sock + commands: + - mkdir -p .reports + - syft prestashop/prestashop:8-apache -o cyclonedx-json --file .reports/sbom-prestashop.cyclonedx.json + - syft mariadb:10.11 -o cyclonedx-json --file .reports/sbom-mariadb.cyclonedx.json + - echo "SBOM generes $(ls .reports/sbom-*.json | wc -l) fichiers" + + # Etape 2c : Scan CVE (Trivy) depuis les SBOM Syft + # Cache /opt/trivy-cache evite ~200Mo de telechargement des DB CVE a chaque build + # Prerequis sur sonic : mkdir -p /opt/trivy-cache + - name: sbom-scan + image: aquasec/trivy:latest + volumes: + - /home/syoul/trivy-cache:/root/.cache/trivy + commands: + - trivy sbom --format json --output .reports/trivy-prestashop.json .reports/sbom-prestashop.cyclonedx.json + - trivy sbom --format json --output .reports/trivy-mariadb.json .reports/sbom-mariadb.cyclonedx.json + - echo "Scan CVE termine" + + # Etape 2d : Publication SBOM vers Dependency-Track (dtrack.syoul.fr) + # NOTE: from_secret et volumes: incompatibles — pas de volumes ici + - name: sbom-publish + image: alpine/curl:latest + environment: + DTRACK_TOKEN: + from_secret: dependency_track_token + commands: + - | + VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8) + curl -sf -X POST "https://dtrack.syoul.fr/api/v1/bom" \ + -H "X-Api-Key: $DTRACK_TOKEN" \ + -F "autoCreate=true" \ + -F "projectName=prestashop-test-app" \ + -F "projectVersion=$VERSION" \ + -F "bom=@.reports/sbom-prestashop.cyclonedx.json" + echo "SBOM prestashop publie (version $VERSION)" + - | + VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8) + curl -sf -X POST "https://dtrack.syoul.fr/api/v1/bom" \ + -H "X-Api-Key: $DTRACK_TOKEN" \ + -F "autoCreate=true" \ + -F "projectName=prestashop-test-db" \ + -F "projectVersion=$VERSION" \ + -F "bom=@.reports/sbom-mariadb.cyclonedx.json" + echo "SBOM mariadb publie (version $VERSION)" + # Etape 3a : Ecriture du .env depuis les secrets # NOTE: ne pas utiliser ${VAR} dans commands (bug Woodpecker next), utiliser env | grep # NOTE: from_secret et volumes: incompatibles dans le meme step (bug Woodpecker next)