From 8ee2dc21787331fb243a184ccd432c6747db4534 Mon Sep 17 00:00:00 2001
From: Matthew Casperson <matthewcasperson@gmail.com>
Date: Mon, 3 Nov 2025 07:48:26 +1000
Subject: [PATCH] Added a script to perform sbom scanning

---
 gulpfile.babel.js             |   4 +++-
 step-templates/logos/sbom.png | Bin 0 -> 3247 bytes
 step-templates/sbom-scan.json |  25 +++++++++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 step-templates/logos/sbom.png
 create mode 100644 step-templates/sbom-scan.json

diff --git a/gulpfile.babel.js b/gulpfile.babel.js
index 8745c1e28..17999d44c 100644
--- a/gulpfile.babel.js
+++ b/gulpfile.babel.js
@@ -148,7 +148,7 @@ function humanize(categoryId) {
     case "elmah":
       return "ELMAH";
     case "email":
-      return "Email";  
+      return "Email";
     case "entityframework":
       return "Entity Framework";
     case "event-tracing":
@@ -239,6 +239,8 @@ function humanize(categoryId) {
       return "Redgate";
     case "roundhouse":
       return "RoundhousE";
+    case "sbom":
+      return "SBOM";
     case "sharepoint":
       return "SharePoint";
     case "snowflake":
diff --git a/step-templates/logos/sbom.png b/step-templates/logos/sbom.png
new file mode 100644
index 0000000000000000000000000000000000000000..24a33ed10aa6cfcf390fdc8fca62db8c162bba96
GIT binary patch
literal 3247
zcmc&%`8yPD_cmlO7>q1g$7GpoV`Pnw#u%CG$}~!vF+?azA4|!;%#dB7vK1Lywy_J1
zU0EWGUD@|2OP2EL`u+po>;2{Z;XKbd_x0T8I?pfnb)QH}b0cn$2#AS^iTg4ZbLHgj
z{2T1Rlk=TTaRw6;m-l6izO`@K`XtAF+|U`e&5MrHLhODJe)h{jyra?-Y+<si9b1eg
z-Kwkx!-3@!OSUTXI!6JqC{u>2Y~;sa!v*iwtt%2jge?_MVWNZ!-#{SV=mDP${wFZ)
zg{i~j?-Pf|Jz8K9r>_lrfqOdRK5t(6qcCy;+%Q)G7IY3hh}T60iV@*rPXPY^OA3?Q
z)cDgbp24hu!0cnj@;Ri9ubUK5h#CSb6t_5i>5`qnS=pY+kZMhaTcG=$CN;&>Ym`Ch
zfD}V!7KjrM;+Q>7?-;q3Czcc=iueQ!=V5^W<&rJU-%>G$#-*@iqWy=UFs!W!ochst
zU~99_k9LZa4=CN4_RP}UOyX6jsPZ}hBmtCW53xgQw?Pzrg?V2!<Ivi;Yl#aAbS+LN
zAr_LA^a<T2<a$R?MQ{b=<GEzwy_1w=@!QI}w~&wUmuDIW&<^gBd3IHi-uM&{d}s`(
zs$Ow8k{QW*bJ{oEndOaf-ZE$Pw;pb<c&L;z=wWeBOLv<jD)Bs<BXMJnxi6WR!AYrr
zxE?*SL%N}-wg^Hgczt=q3CvEBe=WawProJDAwDYyuPSJ&fKCCIP45RLvJ5nv$fUZR
zG>2ElR|lA|NMp?@%}2H%BnefwyJ*Ue%~GutpB74f)(WplSY?L23#;3m*+|vUtM0kz
zaRbF{w(kNimRv7}bPE6yuA#XVjdvtHSK<X(3QfUS&OnZZ!$TfVIy$EeuwNHeu=U(h
zRq)54V%&}US2;b*YowsTrU-iU-?>+Ef83pT@@Uh1zgFo4RisC=|3z0H&KNdQFKspn
zOp3(|%04HOSWag6xZRM?*}R$i_@qHZK7T?Z1Lw*is|+15&dZ<mL~bQ+unU#2O2@ZC
zOfjgb-$cm(Z^j|XI8Vy|>Q-koNm?fC*tX{rz$GC;Bu0jI@Wvwm0yD#)dh>1K#wN*p
zm($NX{GN^a!`elW2F|&?Wj$vTV8H?F`9fwI+yC=ITdJ=~GHS_D_e?wu=uDh?hL&!v
zWJ`#3W**4C`aV#wKnwB1OX)?+5FpZZ8eC0CiTgp*3GD>qfpbUS#2@sTHSmhIK%&wf
zn4x~u$^0_OyEPgK1qo)eKtv}ceDK??;b+THr$OyN$1jo*`yIk_<}n?PcQ;iupj_m7
zL!&O=z)_`WY$!l#fQX`~3G>3Zfnopi5_3vgx#}MZv%0#b0W%*U!P7;zD<Kh{UBkCU
z#TrwXt)S-!FJa6O{vOEFMkQ^l_LN*okYlcAaZsa@a<WDItm+pM>h#jHVvcwe234-p
z5em1YMr&cAFsR*yPG2N8*8GKP0f;Yq)?M7e9_MAo(%Ily-<c<m(bWfeCK87PXw#vh
z_ijD7FtM=PQ8hct(4%ep)%lQ6u_lyRwUSr&CY(0DWc(~V?WwNA^TGQ6G-js4P0raP
zBXuUzO=@Fs@YJV+y>dMlet8nJYK@k_oF4A`FukBW@n5WzEOarmpKnf2LDBrXe0GEr
z8iaI+x0i8&?(Hw?_z`iLM~;6Vt&jiw{7h6_+tq;=#_n83QNt+N@Aagd_tWofsM=Mq
zQGajU%VftV5MPK`0(!=^^{t2C7&qao=b`e@ixTZG6g5ZRJ6tSE+&#so4vdUkK&3nK
zRmW&3z4!@q-|SY%Y?eRgjAD-D?A*!r3+mPk95uJWX=|_zP&hkl9@YnSS08^y+Uz8K
z`_Y~?v+`m@SRzApa>aGEaPdmyky^4~=cp@c*o;uheJw^T6%dI5I__5PLm#eBGS~}q
z8W&;I=!2a({#I*5W0|P;_L4MhCut<4$xqPl_KQ2c+2i)OOx;@B=vLqy{&|DGllIt1
zSc_57_o?Scx1QQP7qxlDtZLHcZ%Z`llTba_%!ppn9-7jQgg$&<+kdb%1_&>2VmD-)
z+q&+Law?@&VjexoUE8zSZm0IX81~z};y6*cZD8|u>=0WEr>f7Syraf`V(qHR-i5BE
zs((9;mD7XrBbLF5>oYE*#Ez5iqA#4)(Az<LjZU@}t<w0F>+_B<sykzSoh|!@0|u3m
z)<Und_AYsCqn0f!s{(_ryu7m<s*NZp&Nrg%kl8Nec8ENDJeb-rudtX7N}P`xeMRi}
z_~@-lI1*sxN1Gu%x`v682`mT~&%bQ7MEv}&{gVGo@+6Kq(f-f*;kZHhzDbYXF9t|?
zXhGRc-4eH_HBWQLUJc{8wN2|6nrke^Kh}yp#SHXX@Ys(l`{4^3wm&naw$}vBdB+%C
ziqcju8c)OTgV!t_uu1I_O3_95KUKa^_|eAA^2y<f;vdc|nG#V6fXh*F=yP~R%L=U|
zmbg!NM~KKyQ`h3(is(g&=*-v!@HkgAFS9Y4xa$Rb;34_Z8IYHXrTm$qc3$KLR{eP)
z&F!$RXmBTYO1YU!-f!oQfFl1U3Gck|v`>8-TuEn|@=70f5iRfJ$#SKbPqWt#A04Qr
z_WlZTeA^*H^BPmT%_s`BONs7AyC&|ZAJ~;C_Rv=8ngPACVx|2-b!`orLLazq(mZD8
z$+a2~#kk*F4n@->kBQes0Tch+E^%Y_G_Lkdo63Bfe0624f*f$nw{`_D?0CC|IvP>v
z{YPoO%fLu)PYD?7tpdm6@wzH)cH&68YV|7DW!`wNj+ZZy19Vc>Ogm%B3($p)q2I$V
z29IrY_RDUI{uE5B3A_?~e5Yc(=Ewau+@g=6&+GMV8TkehcN)CYyw%Xzi5_#)?_jCY
zFckH8rOWE(Emk?}pW(QllYW;vhB|%@>)rcf?4Fm0B!7`3mv1b;zJDIiCM|;$vFKjt
z9*!Iw_M$p~=l2gy?543TJ8bXCDY*{KhIa{Lq}eK<kuAg4R3s@zZ{O1+0wiehFREte
z<4vyRBv8q#rn_?Oy%h`&<mb2ur#Ca@cYXEi7o6(J@SgLenF~*>d`>6+6)N=Wqbi>=
zmqR_RAteQHAYm<?gV$o`^CO2Y-kcgDIbXoF#l8uN)8{a9x)Dune(hV_H8@5!|7l8Y
z#})cGe13ks+hap7bDR$AXv)}}Qf9SyZWEl=drUSiH7>H!Yzno@6i1ha6>KN<((ZwV
zMBR<a4-{_subKq@3KfWL{RQufFxXn-&uPn_9UiG0*Rfs;5atncZ`KxAEu-rBCh@L(
z<fulR3Xts6teY$?>K@53Q_Afwp=WKmg@}N6Ui$tc2GY?#v_3?WW)|Azt_>f2I)}T)
zdez?j&9S-^a89eTc8km4<;6TOSzee&k><l1+?!VpeqRI+TI_(z9rTzSw=`I+qjHwo
zp(cd9w)fMl7f&m>XQsxLW!D8Y(u2}4>l+4*fRYB~1@m;__}^@C_A8;bWp$5v(94o>
zTxdqDuE9eXFh^kJ_8AR(@!btKj8^5Txp0P$!|qwhtSy^6(;3l&cdV7>%YuegpwkWq
z&G&r!t6}2G%U%6>oLAvS$EExM*ZVmKF9376s{)_!3Qb($)_mmk4K?>Ka`i$5_N(GG
z(e1T_uL%E%(%S)ZAGnUE!@u1T)zeoz_%27jKQ-6M^)=lxeVAZn!QG<VAFT##&8=;k
zjFiKV)+^{v$l7JZM0t9M-3Ms^TLJ1VImK)v2MG<f1cP^kKF6Y(l8c>sC&qC_M8y9#
zzViFDs<}eJxFg|~%7^KSkTiQ#$Wjsle3%KBS4sGc{HMLithIGD`7H^BCR+HPRZhDR
zgV>8$j7*&8Y=6oFM%_@&6sETag^h4cqh||vmDFO-46*u{cC&?pSs=0}3Yq2U&h5<*
z59W7m8Vqp>{{zqpmtcVa6bQ#+K8VS0)07dx0{iB4#{40I`g)Uuf~_HN1Y$p}e$#%P
z?(uu?M9XWo%I~J>6tTcPg?aS{D?b^Vs`)To{%hRt--`e5OvoP|xM{7Z^qT$KlSPE-
MvY|Pq7)=cM53!}@Jpcdz

literal 0
HcmV?d00001

diff --git a/step-templates/sbom-scan.json b/step-templates/sbom-scan.json
new file mode 100644
index 000000000..114578688
--- /dev/null
+++ b/step-templates/sbom-scan.json
@@ -0,0 +1,25 @@
+{
+  "Id": "a38bfff8-8dde-4dd6-9fd0-c90bb4709d5a",
+  "Name": "Scan for Vulnerabilities",
+  "Description": "This step extracts the Docker image, finds any bom.json files, and scans them for vulnerabilities using Trivy.",
+  "ActionType": "Octopus.Script",
+  "Version": 1,
+  "CommunityActionTemplateId": null,
+  "Packages": [],
+  "GitDependencies": [],
+  "Properties": {
+    "OctopusUseBundledTooling": "False",
+    "Octopus.Action.Script.ScriptSource": "Inline",
+    "Octopus.Action.Script.Syntax": "PowerShell",
+    "Octopus.Action.Script.ScriptBody": "Write-Host \"Pulling Trivy Docker Image\"\nWrite-Host \"##octopus[stdout-verbose]\"\ndocker pull ghcr.io/aquasecurity/trivy\nWrite-Host \"##octopus[stdout-default]\"\n\n$SUCCESS = 0\n\nWrite-Host \"##octopus[stdout-verbose]\"\nGet-ChildItem -Path \".\" | Out-String\nWrite-Host \"##octopus[stdout-default]\"\n\n# Find all bom.json files\n$currentDirectoryName = Split-Path -Path $PWD -Leaf\n$path = \".\"\n\n$bomFiles = Get-ChildItem -Path $path -Filter \"bom.json\" -Recurse -File\n\nif ($bomFiles.Count -eq 0) {\n    Write-Host \"No bom.json files found in the current directory.\"\n    exit 0\n}\n\nforeach ($file in $bomFiles) {\n    Write-Host \"Scanning $($file.FullName)\"\n\n    # Delete any existing report file\n    if (Test-Path \"$PWD/depscan-bom.json\") {\n        Remove-Item \"$PWD/depscan-bom.json\" -Force\n    }\n\n    # Generate the report, capturing the output\n    try {\n        $OUTPUT = docker run --rm -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q \"/input/$($file.Name)\"\n        $exitCode = $LASTEXITCODE\n    }\n    catch {\n        $OUTPUT = $_.Exception.Message\n        $exitCode = 1\n    }\n\n    # Run again to generate the JSON output\n    docker run --rm -v \"${PWD}:/output\" -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q -f json -o /output/depscan-bom.json \"/input/$($file.Name)\"\n\n    # Octopus Deploy artifact\n    New-OctopusArtifact \"$PWD/depscan-bom.json\"\n\n    # Parse JSON output to count vulnerabilities\n    $jsonContent = Get-Content -Path \"depscan-bom.json\" | ConvertFrom-Json\n    $CRITICAL = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"CRITICAL\" }).Count\n    $HIGH = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"HIGH\" }).Count\n\n    if (\"#{Octopus.Environment.Name}\" -eq \"Security\") {\n        Write-Highlight \"🟥 $CRITICAL critical vulnerabilities\"\n        Write-Highlight \"🟧 $HIGH high vulnerabilities\"\n    }\n\n    # Set success to 1 if exit code is not zero\n    if ($exitCode -ne 0) {\n        $SUCCESS = 1\n    }\n\n    # Print the output\n    $OUTPUT | ForEach-Object {\n        if ($_.Length -gt 0) {\n            Write-Host $_\n        }\n    }\n}\n\n# Cleanup\nfor ($i = 1; $i -le 10; $i++) {\n    try {\n        if (Test-Path \"bundle\") {\n            Set-ItemProperty -Path \"bundle\" -Name IsReadOnly -Value $false -Recurse -ErrorAction SilentlyContinue\n            Remove-Item -Path \"bundle\" -Recurse -Force -ErrorAction Stop\n            break\n        }\n    }\n    catch {\n        Write-Host \"Attempting to clean up files\"\n        Start-Sleep -Seconds 1\n    }\n}\n\n# Set Octopus variable\nSet-OctopusVariable -Name \"VerificationResult\" -Value $SUCCESS\n\nexit 0"
+  },
+  "Parameters": [],
+  "StepPackageId": "Octopus.Script",
+  "$Meta": {
+    "ExportedAt": "2025-11-02T21:42:33.662Z",
+    "OctopusVersion": "2025.4.6337",
+    "Type": "ActionTemplate"
+  },
+  "LastModifiedBy": "mcasperson",
+  "Category": "sbom"
+}