carverauto/serviceradar

Fork 0

feat: implement per-image SBOMs with attestations #2445

Merged

mfreeman451 merged 7 commits from refs/pull/2445/head into main

2025-11-23 02:02:59 +00:00

mfreeman451 commented

2025-11-23 00:13:55 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1977
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1977
Original created: 2025-11-23T00:13:55Z
Original updated: 2025-11-23T02:03:09Z
Original head: carverauto/serviceradar:chore/syft_integration
Original base: main
Original merged: 2025-11-23T02:02:59Z by @mfreeman451

User description

Summary

Implements Option 2 from our SBOM strategy discussion: hybrid approach with both source and per-image SBOMs.

What's New

1. Per-Image Container SBOMs 🎯

New workflow generates SBOM for each container image
Attaches SBOMs as OCI attestations using cosign (keyless signing)
Produces both SPDX JSON and human-readable formats
Auto-runs after release publication
Supports 14 container images

2. Improved Source SBOM

Better exclusions (tests, build artifacts, .next, .bazel, etc.)
Weekly automated generation (Monday 00:00 UTC)
Renamed to serviceradar-source.spdx.json for clarity
Added summary output

3. Build Environment Updates

Added cosign v2.4.1 to ARC runner
Added syft v1.38.0 to ARC runner
Added both tools to RBE image
Ensures SBOM tools available in all build contexts

4. Documentation

Comprehensive docs/SBOM.md with:
- Verification instructions
- Vulnerability scanning guide
- SBOM locations and types
- Compliance information

Benefits

✅ Per-image dependency tracking (know exactly what's in each container)
✅ Supply chain security (signed attestations)
✅ Vulnerability scanning per deployment
✅ NIST SP 800-218 compliance
✅ Works with Grype, Trivy, etc.

Verification Example

# Verify SBOM attestation
cosign verify-attestation --type spdx \
  ghcr.io/carverauto/serviceradar-core:v1.0.56

# Download and inspect
cosign download attestation \
  ghcr.io/carverauto/serviceradar-core:v1.0.56 | \
  jq -r '.payload' | base64 -d | jq '.predicate'

# Scan for CVEs
grype ghcr.io/carverauto/serviceradar-core:v1.0.56

Testing

ARC runner image builds successfully
RBE image builds successfully
Source SBOM workflow runs
Image SBOM workflow runs after next release

Compliance

Supports compliance with:

EO 14028 (Improving Nation's Cybersecurity)
NIST SP 800-218
CISA supply chain guidelines

PR Type

Enhancement

Description

Implement per-image container SBOMs with OCI attestations using cosign keyless signing
Add new workflow to generate SBOMs for 14 container images automatically after releases
Improve source SBOM with better exclusions and weekly scheduling
Install cosign v2.4.1 and syft v1.38.0 in build environments (RBE and ARC runner)
Add comprehensive SBOM documentation with verification and vulnerability scanning guides

Diagram Walkthrough

flowchart LR
  A["Release Published"] -->|triggers| B["Generate Image SBOMs"]
  B -->|syft| C["SPDX JSON + Table"]
  C -->|cosign| D["OCI Attestations"]
  D -->|upload| E["Release Assets"]
  F["Source Code"] -->|weekly| G["Source SBOM"]
  D -->|verify| H["cosign verify-attestation"]
  C -->|scan| I["Grype/Trivy"]

File Walkthrough

Relevant files

Enhancement

sbom-images.yml

New container image SBOM generation workflow

.github/workflows/sbom-images.yml

New workflow generates SBOM for each of 14 container images using syft
Attaches SBOMs as OCI attestations using cosign keyless signing
Produces both SPDX JSON and human-readable table formats
Uploads artifacts to GitHub releases and stores as workflow artifacts
Triggered automatically after release publication or via manual
dispatch

+138/-0

sbom-syft.yml

Improve source SBOM with scheduling and exclusions

.github/workflows/sbom-syft.yml

Rename workflow from 'sbom-syft' to 'Source Code SBOM' for clarity
Add weekly schedule trigger (Monday 00:00 UTC)
Expand exclusions to include .next, .bazel, testdata,
docs/.docusaurus, and other build artifacts
Rename output file to serviceradar-source.spdx.json
Add summary output with guidance on container image SBOMs

+27/-8

Dependencies

Dockerfile.rbe `Add cosign and syft to RBE build image` docker/Dockerfile.rbe Install cosign v2.4.1 for container signing and attestation Install syft v1.38.0 for SBOM generation Both tools added to RBE image for remote build execution	+13/-0
Dockerfile `Add cosign and syft to ARC runner image` docker/arc-runner/Dockerfile Add curl and jq to base dependencies Install cosign v2.4.1 for container signing and attestation Install syft v1.38.0 for SBOM generation Ensures SBOM tools available in ARC runner environment	+16/-1

Documentation

SBOM.md

Add comprehensive SBOM documentation and guides

docs/SBOM.md

New comprehensive documentation covering SBOM types and use cases
Detailed verification instructions for container image attestations
using cosign
Vulnerability scanning guide with Grype and Trivy examples
Lists all 14 container images with dedicated SBOMs
Includes compliance information (EO 14028, NIST SP 800-218, CISA
guidelines)
FAQ section addressing common questions about SBOM strategy

+162/-0

Imported from GitHub pull request. Original GitHub pull request: #1977 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1977 Original created: 2025-11-23T00:13:55Z Original updated: 2025-11-23T02:03:09Z Original head: carverauto/serviceradar:chore/syft_integration Original base: main Original merged: 2025-11-23T02:02:59Z by @mfreeman451 --- ### **User description** ## Summary Implements **Option 2** from our SBOM strategy discussion: hybrid approach with both source and per-image SBOMs. ## What's New ### 1. Per-Image Container SBOMs 🎯 - New workflow generates SBOM for each container image - Attaches SBOMs as **OCI attestations** using cosign (keyless signing) - Produces both SPDX JSON and human-readable formats - Auto-runs after release publication - Supports 14 container images ### 2. Improved Source SBOM - Better exclusions (tests, build artifacts, .next, .bazel, etc.) - Weekly automated generation (Monday 00:00 UTC) - Renamed to `serviceradar-source.spdx.json` for clarity - Added summary output ### 3. Build Environment Updates - Added **cosign v2.4.1** to ARC runner - Added **syft v1.38.0** to ARC runner - Added both tools to RBE image - Ensures SBOM tools available in all build contexts ### 4. Documentation - Comprehensive `docs/SBOM.md` with: - Verification instructions - Vulnerability scanning guide - SBOM locations and types - Compliance information ## Benefits ✅ Per-image dependency tracking (know exactly what's in each container) ✅ Supply chain security (signed attestations) ✅ Vulnerability scanning per deployment ✅ NIST SP 800-218 compliance ✅ Works with Grype, Trivy, etc. ## Verification Example ```bash # Verify SBOM attestation cosign verify-attestation --type spdx \ ghcr.io/carverauto/serviceradar-core:v1.0.56 # Download and inspect cosign download attestation \ ghcr.io/carverauto/serviceradar-core:v1.0.56 | \ jq -r '.payload' | base64 -d | jq '.predicate' # Scan for CVEs grype ghcr.io/carverauto/serviceradar-core:v1.0.56 ``` ## Testing - [ ] ARC runner image builds successfully - [ ] RBE image builds successfully - [ ] Source SBOM workflow runs - [ ] Image SBOM workflow runs after next release ## Compliance Supports compliance with: - EO 14028 (Improving Nation's Cybersecurity) - NIST SP 800-218 - CISA supply chain guidelines ___ ### **PR Type** Enhancement ___ ### **Description** - Implement per-image container SBOMs with OCI attestations using cosign keyless signing - Add new workflow to generate SBOMs for 14 container images automatically after releases - Improve source SBOM with better exclusions and weekly scheduling - Install cosign v2.4.1 and syft v1.38.0 in build environments (RBE and ARC runner) - Add comprehensive SBOM documentation with verification and vulnerability scanning guides ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Release Published"] -->|triggers| B["Generate Image SBOMs"] B -->|syft| C["SPDX JSON + Table"] C -->|cosign| D["OCI Attestations"] D -->|upload| E["Release Assets"] F["Source Code"] -->|weekly| G["Source SBOM"] D -->|verify| H["cosign verify-attestation"] C -->|scan| I["Grype/Trivy"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Enhancement</td><td><table> <tr> <td> <details> <summary>sbom-images.yml<dd><code>New container image SBOM generation workflow</code>                          </dd></summary> <hr> .github/workflows/sbom-images.yml <ul><li>New workflow generates SBOM for each of 14 container images using syft <li> Attaches SBOMs as OCI attestations using cosign keyless signing <li> Produces both SPDX JSON and human-readable table formats <li> Uploads artifacts to GitHub releases and stores as workflow artifacts <li> Triggered automatically after release publication or via manual dispatch</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54">+138/-0</a>  </td> </tr> <tr> <td> <details> <summary>sbom-syft.yml<dd><code>Improve source SBOM with scheduling and exclusions</code>              </dd></summary> <hr> .github/workflows/sbom-syft.yml <ul><li>Rename workflow from 'sbom-syft' to 'Source Code SBOM' for clarity <li> Add weekly schedule trigger (Monday 00:00 UTC) <li> Expand exclusions to include .next, .bazel, testdata, docs/.docusaurus, and other build artifacts <li> Rename output file to <code>serviceradar-source.spdx.json</code> <li> Add summary output with guidance on container image SBOMs</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1977/files#diff-f79636c7ac6e657fd98f9ead92fd4ffe68b8306a9a329bb602e3d1520b8a8017">+27/-8</a>    </td> </tr> </table></td></tr><tr><td>Dependencies</td><td><table> <tr> <td> <details> <summary>Dockerfile.rbe<dd><code>Add cosign and syft to RBE build image</code>                                      </dd></summary> <hr> docker/Dockerfile.rbe <ul><li>Install cosign v2.4.1 for container signing and attestation <li> Install syft v1.38.0 for SBOM generation <li> Both tools added to RBE image for remote build execution</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1977/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2">+13/-0</a>    </td> </tr> <tr> <td> <details> <summary>Dockerfile<dd><code>Add cosign and syft to ARC runner image</code>                                    </dd></summary> <hr> docker/arc-runner/Dockerfile <ul><li>Add curl and jq to base dependencies <li> Install cosign v2.4.1 for container signing and attestation <li> Install syft v1.38.0 for SBOM generation <li> Ensures SBOM tools available in ARC runner environment</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1977/files#diff-b503e289d2c65075e70b5a915d6e4b8e8049bfc44d70e85e328046a8942cd0e4">+16/-1</a>    </td> </tr> </table></td></tr><tr><td>Documentation</td><td><table> <tr> <td> <details> <summary>SBOM.md<dd><code>Add comprehensive SBOM documentation and guides</code>                    </dd></summary> <hr> docs/SBOM.md <ul><li>New comprehensive documentation covering SBOM types and use cases <li> Detailed verification instructions for container image attestations using cosign <li> Vulnerability scanning guide with Grype and Trivy examples <li> Lists all 14 container images with dedicated SBOMs <li> Includes compliance information (EO 14028, NIST SP 800-218, CISA guidelines) <li> FAQ section addressing common questions about SBOM strategy</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1977/files#diff-1747f3c15088e6b4a3ff7fb1fdec9c2ef15ac865ee991b26ace892deba984eae">+162/-0</a>  </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-11-23 00:14:37 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1977#issuecomment-3567184087
Original created: 2025-11-23T00:14:37Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unconstrained cosign identity Description: The cosign attestation step performs keyless signing without constraining certificate identity or OIDC issuer (no --certificate-identity/-regexp or --certificate-oidc-issuer/-regexp), allowing attestations issued to any identity to be considered valid during later verification if consumers follow the permissive examples, weakening supply-chain guarantees. sbom-images.yml [93-97] Referred Code `# Use keyless signing (OIDC) cosign attest --yes \ --predicate ${{ matrix.image.name }}.spdx.json \ --type spdx \ "${IMAGE}"`
	Excessive token permissions Description: The workflow logs into GHCR using the default GITHUB_TOKEN and grants packages: write and contents: write permissions at workflow scope, which is broader than needed for SBOM generation and increases blast radius if the job is compromised; least-privilege scoping to read packages (for pulls) and limiting contents to read is recommended. sbom-images.yml [60-66] Referred Code `- name: Log in to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }}`
	Unverified install script Description: The Dockerfile installs syft via a remote install script piped to sh over HTTPS without pinning the script source or verifying checksums/signatures, enabling supply-chain compromise if the script is tampered with. Dockerfile.rbe [113-116] Referred Code `ARG SYFT_VERSION=1.38.0 RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| \ sh -s -- -b /usr/local/bin v${SYFT_VERSION} \ && syft version`
	Unverified install script Description: The Dockerfile fetches and executes the syft install script via curl \| sh without checksum or signature verification, allowing arbitrary code execution if the script or transport is compromised. Dockerfile [30-32] Referred Code `RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| \ sh -s -- -b /usr/local/bin ${SYFT_VERSION} && \ syft version`
	Unsigned binary download Description: Cosign binary is downloaded directly from GitHub Releases without checksum/signature verification or pinned digest, risking binary tampering or downgrade attacks despite version pinning. Dockerfile.rbe [107-110] Referred Code `RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 \ -o /usr/local/bin/cosign \ && chmod +x /usr/local/bin/cosign \ && cosign version`
	Unsigned binary download Description: Cosign is downloaded via curl from GitHub Releases without verifying checksums/signatures, exposing the build to potential supply-chain attacks if the artifact is altered. Dockerfile [23-26] Referred Code `RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64 \ -o /usr/local/bin/cosign && \ chmod +x /usr/local/bin/cosign && \ cosign version`
	Lax release upload checks Description: The release upload step uses GH CLI with GH_TOKEN but does not restrict which release is targeted beyond a tag string and continues on failure, which could unintentionally upload artifacts to an incorrect release if TAG is misderived or attacker-controlled; add explicit repo/ref checks and strict failure handling. sbom-images.yml [109-117] Referred Code `if: startsWith(github.ref, 'refs/tags/v') \|\| (github.event_name == 'workflow_dispatch' && startsWith(inputs.tag, 'v')) env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: \| TAG="${{ steps.tag.outputs.tag }}" gh release upload "${TAG}" \ ${{ matrix.image.name }}.spdx.json \ ${{ matrix.image.name }}.sbom.txt \ --clobber \|\| echo "Failed to upload to release, continuing..."`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logs: The workflow performs critical actions (image login, SBOM generation, signing/attestation, release uploads) without explicit logging of actor, action, and outcomes beyond minimal echo statements, which may hinder reconstructing events. Referred Code - name: Log in to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Determine image tag id: tag run: \| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT else # Extract tag from the triggering workflow TAG=$(echo "${{ github.event.workflow_run.head_branch }}" \| sed 's/refs\/tags\///') echo "tag=${TAG:-latest}" >> $GITHUB_OUTPUT fi - name: Generate SBOM for ${{ matrix.image.name }} run: \| IMAGE="${{ matrix.image.repo }}:${{ steps.tag.outputs.tag }}" ... (clipped 38 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Weak error handling: Shell steps call external tools (syft, cosign, gh) without explicit set -e/-o pipefail or conditional checks, and errors are sometimes ignored (release upload continues on failure), risking silent or unclear failures. Referred Code - name: Generate SBOM for ${{ matrix.image.name }} run: \| IMAGE="${{ matrix.image.repo }}:${{ steps.tag.outputs.tag }}" echo "Generating SBOM for ${IMAGE}" syft "${IMAGE}" -o spdx-json > ${{ matrix.image.name }}.spdx.json # Also generate human-readable table format syft "${IMAGE}" -o table > ${{ matrix.image.name }}.sbom.txt - name: Attach SBOM as attestation run: \| IMAGE="${{ matrix.image.repo }}:${{ steps.tag.outputs.tag }}" echo "Attaching SBOM attestation to ${IMAGE}" # Use keyless signing (OIDC) cosign attest --yes \ --predicate ${{ matrix.image.name }}.spdx.json \ --type spdx \ "${IMAGE}" ... (clipped 20 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Tag validation: The workflow uses an unvalidated tag input and branch-derived tag to construct image references without sanitization or pattern checks, which could allow malformed inputs to influence operations. Referred Code `- name: Determine image tag id: tag run: \| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT else # Extract tag from the triggering workflow TAG=$(echo "${{ github.event.workflow_run.head_branch }}" \| sed 's/refs\/tags\///') echo "tag=${TAG:-latest}" >> $GITHUB_OUTPUT fi` Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1977#issuecomment-3567184087 Original created: 2025-11-23T00:14:37Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=7>⚪</td> <td><details><summary>Unconstrained cosign identity </summary> Description: The cosign attestation step performs keyless signing without constraining certificate identity or OIDC issuer (no --certificate-identity/-regexp or --certificate-oidc-issuer/-regexp), allowing attestations issued to any identity to be considered valid during later verification if consumers follow the permissive examples, weakening supply-chain guarantees. <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54R93-R97'>sbom-images.yml [93-97]</a> <details open><summary>Referred Code</summary> ```yaml # Use keyless signing (OIDC) cosign attest --yes \ --predicate ${{ matrix.image.name }}.spdx.json \ --type spdx \ "${IMAGE}" ``` </details></details></td></tr> <tr><td><details><summary>Excessive token permissions </summary> Description: The workflow logs into GHCR using the default GITHUB_TOKEN and grants packages: write and contents: write permissions at workflow scope, which is broader than needed for SBOM generation and increases blast radius if the job is compromised; least-privilege scoping to read packages (for pulls) and limiting contents to read is recommended. <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54R60-R66'>sbom-images.yml [60-66]</a> <details open><summary>Referred Code</summary> ```yaml - name: Log in to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} ``` </details></details></td></tr> <tr><td><details><summary>Unverified install script </summary> Description: The Dockerfile installs syft via a remote install script piped to sh over HTTPS without pinning the script source or verifying checksums/signatures, enabling supply-chain compromise if the script is tampered with. <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R113-R116'>Dockerfile.rbe [113-116]</a> <details open><summary>Referred Code</summary> ```txt ARG SYFT_VERSION=1.38.0 RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | \ sh -s -- -b /usr/local/bin v${SYFT_VERSION} \ && syft version ``` </details></details></td></tr> <tr><td><details><summary>Unverified install script </summary> Description: The Dockerfile fetches and executes the syft install script via curl | sh without checksum or signature verification, allowing arbitrary code execution if the script or transport is compromised. <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-b503e289d2c65075e70b5a915d6e4b8e8049bfc44d70e85e328046a8942cd0e4R30-R32'>Dockerfile [30-32]</a> <details open><summary>Referred Code</summary> ```txt RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | \ sh -s -- -b /usr/local/bin ${SYFT_VERSION} && \ syft version ``` </details></details></td></tr> <tr><td><details><summary>Unsigned binary download </summary> Description: Cosign binary is downloaded directly from GitHub Releases without checksum/signature verification or pinned digest, risking binary tampering or downgrade attacks despite version pinning. <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R107-R110'>Dockerfile.rbe [107-110]</a> <details open><summary>Referred Code</summary> ```txt RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 \ -o /usr/local/bin/cosign \ && chmod +x /usr/local/bin/cosign \ && cosign version ``` </details></details></td></tr> <tr><td><details><summary>Unsigned binary download </summary> Description: Cosign is downloaded via curl from GitHub Releases without verifying checksums/signatures, exposing the build to potential supply-chain attacks if the artifact is altered. <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-b503e289d2c65075e70b5a915d6e4b8e8049bfc44d70e85e328046a8942cd0e4R23-R26'>Dockerfile [23-26]</a> <details open><summary>Referred Code</summary> ```txt RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64 \ -o /usr/local/bin/cosign && \ chmod +x /usr/local/bin/cosign && \ cosign version ``` </details></details></td></tr> <tr><td><details><summary>Lax release upload checks </summary> Description: The release upload step uses GH CLI with GH_TOKEN but does not restrict which release is targeted beyond a tag string and continues on failure, which could unintentionally upload artifacts to an incorrect release if TAG is misderived or attacker-controlled; add explicit repo/ref checks and strict failure handling. <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54R109-R117'>sbom-images.yml [109-117]</a> <details open><summary>Referred Code</summary> ```yaml if: startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch' && startsWith(inputs.tag, 'v')) env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | TAG="${{ steps.tag.outputs.tag }}" gh release upload "${TAG}" \ ${{ matrix.image.name }}.spdx.json \ ${{ matrix.image.name }}.sbom.txt \ --clobber || echo "Failed to upload to release, continuing..." ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=3>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=3>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54R60-R118'>Missing audit logs</a>: The workflow performs critical actions (image login, SBOM generation, signing/attestation, release uploads) without explicit logging of actor, action, and outcomes beyond minimal echo statements, which may hinder reconstructing events. <details open><summary>Referred Code</summary> ```yaml - name: Log in to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Determine image tag id: tag run: | if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT else # Extract tag from the triggering workflow TAG=$(echo "${{ github.event.workflow_run.head_branch }}" | sed 's/refs\/tags\///') echo "tag=${TAG:-latest}" >> $GITHUB_OUTPUT fi - name: Generate SBOM for ${{ matrix.image.name }} run: | IMAGE="${{ matrix.image.repo }}:${{ steps.tag.outputs.tag }}" ... (clipped 38 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54R78-R118'>Weak error handling</a>: Shell steps call external tools (syft, cosign, gh) without explicit set -e/-o pipefail or conditional checks, and errors are sometimes ignored (release upload continues on failure), risking silent or unclear failures. <details open><summary>Referred Code</summary> ```yaml - name: Generate SBOM for ${{ matrix.image.name }} run: | IMAGE="${{ matrix.image.repo }}:${{ steps.tag.outputs.tag }}" echo "Generating SBOM for ${IMAGE}" syft "${IMAGE}" -o spdx-json > ${{ matrix.image.name }}.spdx.json # Also generate human-readable table format syft "${IMAGE}" -o table > ${{ matrix.image.name }}.sbom.txt - name: Attach SBOM as attestation run: | IMAGE="${{ matrix.image.repo }}:${{ steps.tag.outputs.tag }}" echo "Attaching SBOM attestation to ${IMAGE}" # Use keyless signing (OIDC) cosign attest --yes \ --predicate ${{ matrix.image.name }}.spdx.json \ --type spdx \ "${IMAGE}" ... (clipped 20 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54R67-R76'>Tag validation</a>: The workflow uses an unvalidated tag input and branch-derived tag to construct image references without sanitization or pattern checks, which could allow malformed inputs to influence operations. <details open><summary>Referred Code</summary> ```yaml - name: Determine image tag id: tag run: | if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT else # Extract tag from the triggering workflow TAG=$(echo "${{ github.event.workflow_run.head_branch }}" | sed 's/refs\/tags\///') echo "tag=${TAG:-latest}" >> $GITHUB_OUTPUT fi ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

github-advanced-security[bot] commented

2025-11-23 00:14:45 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR review comment.

Original author: @github-advanced-security[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1977#discussion_r2553528240
Original created: 2025-11-23T00:14:45Z
Original path: .github/workflows/sbom-images.yml
Original line: 74

Code injection

Potential code injection in ${{ github.event.workflow_run.head_branch }}, which may be controlled by an external user (workflow_run).

Show more details

Imported GitHub PR review comment. Original author: @github-advanced-security[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1977#discussion_r2553528240 Original created: 2025-11-23T00:14:45Z Original path: .github/workflows/sbom-images.yml Original line: 74 --- ## Code injection Potential code injection in [${{ github.event.workflow_run.head_branch }}](1), which may be controlled by an external user ([workflow_run](2)). [Show more details](https://github.com/carverauto/serviceradar/security/code-scanning/78)

qodo-code-review[bot] commented

2025-11-23 00:15:45 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1977#issuecomment-3567185789
Original created: 2025-11-23T00:15:45Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Correct insecure `cosign` verification command The `cosign verify-attestation` command is insecure due to overly permissive wildcards for identity and issuer verification. It should be updated to use specific, trusted values to ensure attestations originate from the correct GitHub Actions workflow. Examples: .github/workflows/sbom-images.yml [135-136] `echo " --certificate-identity-regexp='.' \\" >> $GITHUB_STEP_SUMMARY echo " --certificate-oidc-issuer-regexp='.' \\" >> $GITHUB_STEP_SUMMARY` docs/SBOM.md [51-52] `--certificate-identity-regexp='.' \ --certificate-oidc-issuer-regexp='.' \` Solution Walkthrough: Before: `# In docs/SBOM.md and workflow summary cosign verify-attestation \ --type spdx \ --certificate-identity-regexp='.' \ --certificate-oidc-issuer-regexp='.' \ ghcr.io/carverauto/serviceradar-core:v1.0.56` After: `# In docs/SBOM.md and workflow summary cosign verify-attestation \ --type spdx \ --certificate-identity-regexp 'https://github.com/carverauto/serviceradar-core/.github/workflows/sbom-images.yml@.*' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ ghcr.io/carverauto/serviceradar-core:v1.0.56` Suggestion importance[1-10]: 9 __ Why: The suggestion identifies a critical security flaw in the provided verification instructions, which, if followed, would negate the security benefits of the entire attestation process.	High
Possible issue	Improve image tag determination logic Improve the image tag determination logic to explicitly check for a tag and fail the job if one is not found, preventing the use of incorrect tags like branch names or `latest`. .github/workflows/sbom-images.yml [67-76] - name: Determine image tag id: tag run: \| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT + TAG="${{ inputs.tag }}" else - # Extract tag from the triggering workflow - TAG=$(echo "${{ github.event.workflow_run.head_branch }}" \| sed 's/refs\/tags\///') - echo "tag=${TAG:-latest}" >> $GITHUB_OUTPUT + if [[ "${{ github.event.workflow_run.head_branch }}" == refs/tags/* ]]; then + TAG=$(echo "${{ github.event.workflow_run.head_branch }}" \| sed 's:^refs/tags/::') + else + echo "::error::Triggering workflow was not for a tag. head_branch was: ${{ github.event.workflow_run.head_branch }}" + exit 1 + fi fi + echo "tag=${TAG}" >> $GITHUB_OUTPUT Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical flaw in the tag determination logic that could lead to incorrect or overwritten attestations, and provides a robust fix that makes the workflow fail-safe.	High
Possible issue	Fix condition for release asset upload Correct the `if` condition for the 'Attach SBOM to release' step by using `github.event.workflow_run.head_branch` to ensure assets are uploaded for `workflow_run` events. .github/workflows/sbom-images.yml [108-117] - name: Attach SBOM to release - if: startsWith(github.ref, 'refs/tags/v') \|\| (github.event_name == 'workflow_dispatch' && startsWith(inputs.tag, 'v')) + if: (github.event_name == 'workflow_run' && startsWith(github.event.workflow_run.head_branch, 'refs/tags/v')) \|\| (github.event_name == 'workflow_dispatch' && startsWith(inputs.tag, 'v')) env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: \| TAG="${{ steps.tag.outputs.tag }}" gh release upload "${TAG}" \ ${{ matrix.image.name }}.spdx.json \ ${{ matrix.image.name }}.sbom.txt \ --clobber \|\| echo "Failed to upload to release, continuing..." Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion fixes a bug that would prevent a key feature of the workflow—uploading SBOMs to a release—from working correctly when triggered by another workflow.	High
General	Standardize tool version variable definitions Standardize tool version variables by removing the `v` prefix from `ARG` definitions and adding it within the `RUN` commands where required, aligning this file with `docker/Dockerfile.rbe`. docker/arc-runner/Dockerfile [21-32] # Install cosign for container signing/attestation -ARG COSIGN_VERSION=v2.4.1 -RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64 \ +ARG COSIGN_VERSION=2.4.1 +RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 \ -o /usr/local/bin/cosign && \ chmod +x /usr/local/bin/cosign && \ cosign version # Install syft for SBOM generation -ARG SYFT_VERSION=v1.38.0 +ARG SYFT_VERSION=1.38.0 RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| \ - sh -s -- -b /usr/local/bin ${SYFT_VERSION} && \ + sh -s -- -b /usr/local/bin v${SYFT_VERSION} && \ syft version Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion improves code consistency across multiple Dockerfiles by standardizing the format of version variables, which enhances maintainability.	Low
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1977#issuecomment-3567185789 Original created: 2025-11-23T00:15:45Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Correct insecure <code>cosign</code> verification command</summary> ___ **The <code>cosign verify-attestation</code> command is insecure due to overly permissive wildcards for identity and issuer verification. It should be updated to use specific, trusted values to ensure attestations originate from the correct GitHub Actions workflow.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54R135-R136">.github/workflows/sbom-images.yml [135-136]</a> </summary> ```yaml echo " --certificate-identity-regexp='.*' \\" >> $GITHUB_STEP_SUMMARY echo " --certificate-oidc-issuer-regexp='.*' \\" >> $GITHUB_STEP_SUMMARY ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1977/files#diff-1747f3c15088e6b4a3ff7fb1fdec9c2ef15ac865ee991b26ace892deba984eaeR51-R52">docs/SBOM.md [51-52]</a> </summary> ```markdown --certificate-identity-regexp='.*' \ --certificate-oidc-issuer-regexp='.*' \ ``` </details> ### Solution Walkthrough: #### Before: ```markdown # In docs/SBOM.md and workflow summary cosign verify-attestation \ --type spdx \ --certificate-identity-regexp='.*' \ --certificate-oidc-issuer-regexp='.*' \ ghcr.io/carverauto/serviceradar-core:v1.0.56 ``` #### After: ```markdown # In docs/SBOM.md and workflow summary cosign verify-attestation \ --type spdx \ --certificate-identity-regexp 'https://github.com/carverauto/serviceradar-core/.github/workflows/sbom-images.yml@.*' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ ghcr.io/carverauto/serviceradar-core:v1.0.56 ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion identifies a critical security flaw in the provided verification instructions, which, if followed, would negate the security benefits of the entire attestation process. </details></details></td><td align=center>High </td></tr><tr><td rowspan=2>Possible issue</td> <td> <details><summary>Improve image tag determination logic</summary> ___ **Improve the image tag determination logic to explicitly check for a tag and fail the job if one is not found, preventing the use of incorrect tags like branch names or <code>latest</code>.** [.github/workflows/sbom-images.yml [67-76]](https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54R67-R76) ```diff - name: Determine image tag id: tag run: | if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT + TAG="${{ inputs.tag }}" else - # Extract tag from the triggering workflow - TAG=$(echo "${{ github.event.workflow_run.head_branch }}" | sed 's/refs\/tags\///') - echo "tag=${TAG:-latest}" >> $GITHUB_OUTPUT + if [[ "${{ github.event.workflow_run.head_branch }}" == refs/tags/* ]]; then + TAG=$(echo "${{ github.event.workflow_run.head_branch }}" | sed 's:^refs/tags/::') + else + echo "::error::Triggering workflow was not for a tag. head_branch was: ${{ github.event.workflow_run.head_branch }}" + exit 1 + fi fi + echo "tag=${TAG}" >> $GITHUB_OUTPUT ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion correctly identifies a critical flaw in the tag determination logic that could lead to incorrect or overwritten attestations, and provides a robust fix that makes the workflow fail-safe. </details></details></td><td align=center>High </td></tr><tr><td> <details><summary>Fix condition for release asset upload</summary> ___ **Correct the <code>if</code> condition for the 'Attach SBOM to release' step by using <code>github.event.workflow_run.head_branch</code> to ensure assets are uploaded for <code>workflow_run</code> events.** [.github/workflows/sbom-images.yml [108-117]](https://github.com/carverauto/serviceradar/pull/1977/files#diff-306f4aa8e8e286f727246a7517eecd45f3535fd99a644f60d635b9fa39875f54R108-R117) ```diff - name: Attach SBOM to release - if: startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch' && startsWith(inputs.tag, 'v')) + if: (github.event_name == 'workflow_run' && startsWith(github.event.workflow_run.head_branch, 'refs/tags/v')) || (github.event_name == 'workflow_dispatch' && startsWith(inputs.tag, 'v')) env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | TAG="${{ steps.tag.outputs.tag }}" gh release upload "${TAG}" \ ${{ matrix.image.name }}.spdx.json \ ${{ matrix.image.name }}.sbom.txt \ --clobber || echo "Failed to upload to release, continuing..." ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This suggestion fixes a bug that would prevent a key feature of the workflow—uploading SBOMs to a release—from working correctly when triggered by another workflow. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Standardize tool version variable definitions</summary> ___ **Standardize tool version variables by removing the <code>v</code> prefix from <code>ARG</code> definitions and adding it within the <code>RUN</code> commands where required, aligning this file with <code>docker/Dockerfile.rbe</code>.** [docker/arc-runner/Dockerfile [21-32]](https://github.com/carverauto/serviceradar/pull/1977/files#diff-b503e289d2c65075e70b5a915d6e4b8e8049bfc44d70e85e328046a8942cd0e4R21-R32) ```diff # Install cosign for container signing/attestation -ARG COSIGN_VERSION=v2.4.1 -RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64 \ +ARG COSIGN_VERSION=2.4.1 +RUN curl -sSfL https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 \ -o /usr/local/bin/cosign && \ chmod +x /usr/local/bin/cosign && \ cosign version # Install syft for SBOM generation -ARG SYFT_VERSION=v1.38.0 +ARG SYFT_VERSION=1.38.0 RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | \ - sh -s -- -b /usr/local/bin ${SYFT_VERSION} && \ + sh -s -- -b /usr/local/bin v${SYFT_VERSION} && \ syft version ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 5</summary> __ Why: The suggestion improves code consistency across multiple Dockerfiles by standardizing the format of version variables, which enhances maintainability. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>

github-advanced-security[bot] commented

2025-11-23 00:34:54 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR review comment.

Original author: @github-advanced-security[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1977#discussion_r2553571788
Original created: 2025-11-23T00:34:54Z
Original path: .github/workflows/sbom-images.yml
Original line: 83

Code injection

Potential code injection in ${{ steps.tag.outputs.tag }}, which may be controlled by an external user (workflow_run).

Show more details

Imported GitHub PR review comment. Original author: @github-advanced-security[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1977#discussion_r2553571788 Original created: 2025-11-23T00:34:54Z Original path: .github/workflows/sbom-images.yml Original line: 83 --- ## Code injection Potential code injection in [${{ steps.tag.outputs.tag }}](1), which may be controlled by an external user ([workflow_run](2)). [Show more details](https://github.com/carverauto/serviceradar/security/code-scanning/79)

github-advanced-security[bot] commented

2025-11-23 00:34:54 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR review comment.

Original author: @github-advanced-security[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1977#discussion_r2553571790
Original created: 2025-11-23T00:34:54Z
Original path: .github/workflows/sbom-images.yml
Original line: 93

Code injection

Potential code injection in ${{ steps.tag.outputs.tag }}, which may be controlled by an external user (workflow_run).

Show more details

Imported GitHub PR review comment. Original author: @github-advanced-security[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1977#discussion_r2553571790 Original created: 2025-11-23T00:34:54Z Original path: .github/workflows/sbom-images.yml Original line: 93 --- ## Code injection Potential code injection in [${{ steps.tag.outputs.tag }}](1), which may be controlled by an external user ([workflow_run](2)). [Show more details](https://github.com/carverauto/serviceradar/security/code-scanning/80)

github-advanced-security[bot] commented

2025-11-23 00:34:54 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR review comment.

Original author: @github-advanced-security[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1977#discussion_r2553571791
Original created: 2025-11-23T00:34:54Z
Original path: .github/workflows/sbom-images.yml
Original line: 116

Code injection

Potential code injection in ${{ steps.tag.outputs.tag }}, which may be controlled by an external user (workflow_run).

Show more details

Imported GitHub PR review comment. Original author: @github-advanced-security[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1977#discussion_r2553571791 Original created: 2025-11-23T00:34:54Z Original path: .github/workflows/sbom-images.yml Original line: 116 --- ## Code injection Potential code injection in [${{ steps.tag.outputs.tag }}](1), which may be controlled by an external user ([workflow_run](2)). [Show more details](https://github.com/carverauto/serviceradar/security/code-scanning/81)