shiftleftcyber · VinnyBarton · Oct 24, 2025 · Oct 24, 2025
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,47 @@
+name: Build & Test
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: 🧩 Build & Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Install Dependencies
+        run: go mod download
+
+      - name: Build
+        run: |
+          go version
+          go build -o bin/sbom-validator-example example/main.go
+
+      - name: Run Tests
+        run: |
+          go test -v -coverprofile=coverage.out ./...
+          go tool cover -func=coverage.out
+
+      - name: Upload Coverage Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.out
+
+      - name: Add Job Summary
+        run: |
+          echo "### ✅ Build & Test Completed" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Unit tests passed successfully" >> $GITHUB_STEP_SUMMARY
+          echo "- 📊 Coverage Summary:" >> $GITHUB_STEP_SUMMARY
+          go tool cover -func=coverage.out | tail -n 1 >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
diff --git a/.github/workflows/golangci-lint.yml → .github/workflows/lint.yml b/.github/workflows/golangci-lint.yml → .github/workflows/lint.yml
@@ -1,30 +1,35 @@
 name: golangci-lint
+
 on:
   push:
-    branches:
-      - main
-      - master
+    branches: [ main ]
   pull_request:
+  workflow_dispatch:
 
 permissions:
   contents: read
 
 jobs:
-  golangci:
-    name: lint
+  lint:
+    name: 🔍 Lint
     runs-on: ubuntu-latest
+
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
           cache: true
-  
+
       - name: Install Dependencies
-        run: |
-          go mod download
-
-      - name: golangci-lint
+        run: go mod download
+
+      - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
           version: v1.60
+
+      - name: Add Job Summary
+        run: |
+          echo "### 🔍 Lint Results" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Code linting completed successfully" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,46 @@
+name: GoReleaser
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    name: 🚀 Release
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.21"
+          check-latest: true
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload Signed SBOM to Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            sbom-validator.${{ github.ref_name }}.cdx.signed.json
+
+      - name: Add Job Summary
+        run: |
+          echo "### 🚀 Release Completed" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ GoReleaser successfully published binaries and SBOM" >> $GITHUB_STEP_SUMMARY
+          echo "- 🔏 Signed SBOM attached to GitHub release" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/sbom-sign-verify.yml b/.github/workflows/sbom-sign-verify.yml
@@ -0,0 +1,58 @@
+name: SBOM Generation, Signing, and Verification
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+    tags:
+      - 'v*'
+
+jobs:
+  sbom-sign-verify:
+    name: 🔏 SBOM Lifecycle
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Generate SBOM (CycloneDX)
+        uses: CycloneDX/gh-gomod-generate-sbom@v2
+        with:
+          version: v1
+          args: mod -licenses -json -output-version 1.6 -output sbom-validator.${{ github.ref_name }}.cdx.json
+
+      - name: Sign SBOM
+        uses: shiftleftcyber/secure-sbom-action@v1.3.1
+        with:
+          sbom_file: sbom-validator.${{ github.ref_name }}.cdx.json
+          secure_sbom_action: sign
+          api_key: ${{ secrets.SECURE_SBOM_API_KEY }}
+          key_id: ${{ secrets.SECURE_SBOM_KEYID }}
+
+      - name: Verify SBOM
+        uses: shiftleftcyber/secure-sbom-action@v1.3.1
+        with:
+          sbom_file: sbom-validator.${{ github.ref_name }}.cdx.signed.json
+          secure_sbom_action: verify
+          api_key: ${{ secrets.SECURE_SBOM_API_KEY }}
+          key_id: ${{ secrets.SECURE_SBOM_KEYID }}
+
+      - name: Upload SBOM Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-artifacts
+          path: |
+            sbom-validator.${{ github.ref_name }}.cdx.json
+            sbom-validator.${{ github.ref_name }}.cdx.signed.json
+
+      - name: Add Job Summary
+        run: |
+          echo "### 🔏 SBOM Lifecycle Completed" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ SBOM generated, signed, and verified successfully" >> $GITHUB_STEP_SUMMARY
+          echo "- 📄 Artifacts uploaded for transparency" >> $GITHUB_STEP_SUMMARY
diff --git a/sample-sboms/sample-1.6.cdx.signed.json b/sample-sboms/sample-1.6.cdx.signed.json
@@ -0,0 +1 @@
+{"bomFormat":"CycloneDX","components":[{"licenses":[{"license":{"id":"MIT"}}],"name":"example-library","purl":"pkg:maven/org.example/example-library@2.0.0","type":"library","version":"2.0.0"}],"dependencies":[{"dependsOn":[],"ref":"pkg:maven/org.example/example-library@2.0.0"}],"metadata":{"component":{"name":"Example Application","type":"application","version":"1.0.0"},"timestamp":"2024-10-22T12:00:00Z","tools":[{"name":"SBOM Generator","vendor":"ACME Corp","version":"1.0.0"}]},"serialNumber":"urn:uuid:123e4567-e89b-12d3-a456-426614174000","signature":{"algorithm":"ES256","value":"MEQCIDuKdTJ2YFDFWPWbBZyg5p5pkTwrVc40bNdPsBkMhCnTAiBdh91Q24zoItU7m9bhdEFXGFGS4UVGa5MjtZzQOcMyKw=="},"specVersion":"1.6","version":1}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"bomFormat":"CycloneDX","components":[{"licenses":[{"license":{"id":"MIT"}}],"name":"example-library","purl":"pkg:maven/org.example/example-library@2.0.0","type":"library","version":"2.0.0"}],"dependencies":[{"dependsOn":[],"ref":"pkg:maven/org.example/example-library@2.0.0"}],"metadata":{"component":{"name":"Example Application","type":"application","version":"1.0.0"},"timestamp":"2024-10-22T12:00:00Z","tools":[{"name":"SBOM Generator","vendor":"ACME Corp","version":"1.0.0"}]},"serialNumber":"urn:uuid:123e4567-e89b-12d3-a456-426614174000","signature":{"algorithm":"ES256","value":"MEQCIDuKdTJ2YFDFWPWbBZyg5p5pkTwrVc40bNdPsBkMhCnTAiBdh91Q24zoItU7m9bhdEFXGFGS4UVGa5MjtZzQOcMyKw=="},"specVersion":"1.6","version":1}