feat: add SBOM CI component#4
Conversation
There was a problem hiding this comment.
Pull request overview
Adds an SBOM-related CI component include to the Django cookiecutter template’s GitLab CI configuration so generated projects can run SBOM/dependency-audit jobs as part of their pipeline.
Changes:
- Add a new
include:componententry forsecurity/dependency-audit/sbom@0.3.6in the template.gitlab-ci.yml.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…uctions for templates
| ```shell | ||
| cookiecutter https://github.com/singularit-de/cc-python.git --directory django | ||
| # or | ||
| uvx cookiecutter https://github.com/singularit-de/cc-python.git --directory django | ||
| ``` |
| ## Why we are using templates | ||
|
|
||
| ## Contribute to this repository | ||
| ## Testing template updates locally |
| pre-commit install | ||
| ``` | ||
|
|
||
| ## Gitlab CI/CD |
|
|
||
| ### Dependency Track | ||
|
|
||
| The uv.lock file is used to track vulnerabilities in dependencies. |
|
|
||
| #### Lint | ||
|
|
||
| In the lint stage we are running `pre-commit'` that checks for code formatting and linting issues. |
|
|
||
| In the lint stage we are running `pre-commit'` that checks for code formatting and linting issues. | ||
|
|
||
| When? Each push to a protected branch or a branch that has an open pull request to a protected branch. |
| 2. `deploy-check` - runs the django deployment check for security issues | ||
| 3. `sbom:uv:prod` - generates a Software Bill of Materials (SBOM) for the Dependency Track Dashboard. There is a separate .post stage where the SBOM is uploaded to the Dependency Track Dashboard. | ||
|
|
||
| When? Each push to a protected branch or a branch that has an open pull request to a protected branch. |
| When? Each push to a protected branch or a branch that has an open pull request to a protected branch. | ||
| staging server. |
| ### Dependency Track | ||
|
|
||
| The uv.lock file is used to track vulnerabilities in dependencies. | ||
| Every push to a protected branch or a created tag will trigger an update of the Dependency Track Dashboard. |
There was a problem hiding this comment.
das ist theoretisch nicht korrekt. Die default rule, dass die jobs laufen ist:
($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG) && $CI_PIPELINE_SOURCE != "schedule"
in kurz: Wenn du auf den default branch pushst, oder einen tag (und nicht bei gescheduled pipelines). Das kann aber alles per input konifguriert werden: https://singular-code.de/explore/catalog/singularit/ci-components/security/dependency-audit?tab=components
|
|
||
| 1. `django-test` - runs the django unit tests | ||
| 2. `deploy-check` - runs the django deployment check for security issues | ||
| 3. `sbom:uv:prod` - generates a Software Bill of Materials (SBOM) for the Dependency Track Dashboard. There is a separate .post stage where the SBOM is uploaded to the Dependency Track Dashboard. |
There was a problem hiding this comment.
ist glaube ich nicht wichtig zu erwähnen, dass die auch da ist. Weil die ja sehr abstract ist.
| When? Each push to a protected branch or a branch that has an open pull request to a protected branch. | ||
| staging server. |
There was a problem hiding this comment.
meinst du hier staging und review app oder wieso auch wenn man vom mr aus kommt?
No description provided.