on: workflow_call: inputs: version: required: false type: string default: '' secrets: DEPENDENCYTRACK_URL: required: true DEPENDENCYTRACK_API_KEY: required: true DEPENDENCYTRACK_PROJECT_UUID: required: true name: Trivy jobs: trivy: name: SBOM & Dependency Track runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Install Trivy run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \ | sh -s -- -b /usr/local/bin trivy --version - name: Generate SBOM run: | trivy fs . \ --format cyclonedx \ --output sbom.json \ --quiet echo "✅ SBOM generated" - name: Upload SBOM to Dependency-Track run: | HTTP_STATUS=$(curl --silent \ --output /tmp/dt-response.json \ --write-out "%{http_code}" \ -X POST "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/bom" \ -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \ -H "Content-Type: multipart/form-data" \ -F "project=${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}" \ -F "projectVersion=${{ inputs.version }}" \ -F "bom=@sbom.json") echo "Response: $(cat /tmp/dt-response.json)" if [ "$HTTP_STATUS" -ne 200 ]; then echo "❌ Upload failed – HTTP Status: ${HTTP_STATUS}" exit 1 fi echo "✅ SBOM uploaded" - name: Check Dependency-Track Results run: | echo "⏳ Wait for results..." sleep 15 curl --silent \ "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/metrics/project/${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}/current" \ -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \ | python3 -c " import sys, json d = json.load(sys.stdin) critical = d.get('critical', 0) high = d.get('high', 0) medium = d.get('medium', 0) low = d.get('low', 0) print(f'┌─ Dependency-Track Results ────') print(f'│ Critical : {critical}') print(f'│ High : {high}') print(f'│ Medium : {medium}') print(f'│ Low : {low}') print(f'└───────────────────────────────') if critical > 0: print('❌ Critical found!') sys.exit(1) print('✅ Passed') "