Skip to content

feat: add SBOM CI component#4

Open
Grayknife wants to merge 2 commits into
mainfrom
feat/add-sbom-ci-component
Open

feat: add SBOM CI component#4
Grayknife wants to merge 2 commits into
mainfrom
feat/add-sbom-ci-component

Conversation

@Grayknife

Copy link
Copy Markdown
Collaborator

No description provided.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an SBOM-related CI component include to the Django cookiecutter template’s GitLab CI configuration so generated projects can run SBOM/dependency-audit jobs as part of their pipeline.

Changes:

  • Add a new include:component entry for security/dependency-audit/sbom@0.3.6 in the template .gitlab-ci.yml.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread django/{{ cookiecutter.project_slug }}/.gitlab-ci.yml

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

Comment thread README.md
Comment on lines 16 to 20
```shell
cookiecutter https://github.com/singularit-de/cc-python.git --directory django
# or
uvx cookiecutter https://github.com/singularit-de/cc-python.git --directory django
```
Comment thread README.md
Comment on lines 27 to +29
## Why we are using templates

## Contribute to this repository
## Testing template updates locally
pre-commit install
```

## Gitlab CI/CD

### Dependency Track

The uv.lock file is used to track vulnerabilities in dependencies.

#### Lint

In the lint stage we are running `pre-commit'` that checks for code formatting and linting issues.

In the lint stage we are running `pre-commit'` that checks for code formatting and linting issues.

When? Each push to a protected branch or a branch that has an open pull request to a protected branch.
2. `deploy-check` - runs the django deployment check for security issues
3. `sbom:uv:prod` - generates a Software Bill of Materials (SBOM) for the Dependency Track Dashboard. There is a separate .post stage where the SBOM is uploaded to the Dependency Track Dashboard.

When? Each push to a protected branch or a branch that has an open pull request to a protected branch.
Comment on lines +121 to +122
When? Each push to a protected branch or a branch that has an open pull request to a protected branch.
staging server.
### Dependency Track

The uv.lock file is used to track vulnerabilities in dependencies.
Every push to a protected branch or a created tag will trigger an update of the Dependency Track Dashboard.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

das ist theoretisch nicht korrekt. Die default rule, dass die jobs laufen ist:

($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG) && $CI_PIPELINE_SOURCE != "schedule"

in kurz: Wenn du auf den default branch pushst, oder einen tag (und nicht bei gescheduled pipelines). Das kann aber alles per input konifguriert werden: https://singular-code.de/explore/catalog/singularit/ci-components/security/dependency-audit?tab=components


1. `django-test` - runs the django unit tests
2. `deploy-check` - runs the django deployment check for security issues
3. `sbom:uv:prod` - generates a Software Bill of Materials (SBOM) for the Dependency Track Dashboard. There is a separate .post stage where the SBOM is uploaded to the Dependency Track Dashboard.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ist glaube ich nicht wichtig zu erwähnen, dass die auch da ist. Weil die ja sehr abstract ist.

Comment on lines +121 to +122
When? Each push to a protected branch or a branch that has an open pull request to a protected branch.
staging server.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

meinst du hier staging und review app oder wieso auch wenn man vom mr aus kommt?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants