chore: Add SBOM vulnerability scans BED-8648#2950
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a new pull request workflow that generates an SPDX JSON SBOM, scans it for high-severity fixed CVEs, and prints scan output on failure. Also adds Syft and Grype configuration files. ChangesVulnerability scanning setup
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/vulnerability-scans.yml (1)
30-31: 🚀 Performance & Scalability | 🔵 Trivial | 💤 Low valueNo
timeout-minutesset on the job.If
sbom-action/scan-actionhang (e.g. on DB download), the job falls back to GitHub's default 6-hour timeout, wasting runner minutes. Consider adding an explicittimeout-minutesbound.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/vulnerability-scans.yml around lines 30 - 31, The scan job is missing an explicit timeout, so add a bounded timeout to the scan-sbom-file job in the vulnerability-scans workflow. Update the job definition alongside runs-on by setting timeout-minutes on scan-sbom-file to prevent sbom-action or scan-action from hanging indefinitely.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/vulnerability-scans.yml:
- Around line 33-34: Add persist-credentials: false to the actions/checkout step
in the vulnerability-scans workflow so the GITHUB_TOKEN is not left in git
config. Update the checkout job entry identified by the actions/checkout step in
the workflow to explicitly disable credential persistence.
- Around line 29-34: The vulnerability-scans workflow is missing an explicit
permissions scope, so `GITHUB_TOKEN` may be broader than needed. Update the
workflow around `scan-sbom-file` to add a minimal `permissions` block at the
workflow or job level, keeping only the access required for `actions/checkout`
and the local scan steps. Use the existing job name and checkout step as the
anchor when making the change.
---
Nitpick comments:
In @.github/workflows/vulnerability-scans.yml:
- Around line 30-31: The scan job is missing an explicit timeout, so add a
bounded timeout to the scan-sbom-file job in the vulnerability-scans workflow.
Update the job definition alongside runs-on by setting timeout-minutes on
scan-sbom-file to prevent sbom-action or scan-action from hanging indefinitely.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: bf35add8-5324-4057-b556-15eb51189f43
📒 Files selected for processing (2)
.github/workflows/vulnerability-scans.yml.syft.yaml
Description
This change adds pull-request vulnerability scanning by generating an
SPDXJSON SBOM withsyftand scanning it usinggrypefor critical CVEs.Motivation and Context
Resolves BED-8648
How Has This Been Tested?
Successful GH workflow execution
Screenshots (optional):
Types of changes
Checklist:
Summary by CodeRabbit
mainandstage/**.node_modulesfrom vulnerability analysis via the scan configuration.