Skip to content

ci: add SAST, SBOM generation, and supply-chain attestation#47

Open
jcputney wants to merge 2 commits intomainfrom
claude/add-sast-sca-sbom-1JrKD
Open

ci: add SAST, SBOM generation, and supply-chain attestation#47
jcputney wants to merge 2 commits intomainfrom
claude/add-sast-sca-sbom-1JrKD

Conversation

@jcputney
Copy link
Copy Markdown
Owner

@jcputney jcputney commented May 5, 2026

  • SpotBugs now runs the FindSecBugs detector plugin so CWE-style security
    rules are enforced alongside the existing bug-pattern checks
  • New CodeQL workflow runs security-extended + security-and-quality queries
    on push, PR, and weekly schedule
  • CycloneDX Maven plugin generates per-module CycloneDX 1.6 BOMs
    (bom.json + bom.xml) attached as artifacts during the package phase
  • Release workflow generates GitHub build-provenance and SBOM attestations
    for each published jar and uploads SBOMs to the GitHub release

@claude
ci: add SAST, SBOM generation, and supply-chain attestation
9b7e85d 
- SpotBugs now runs the FindSecBugs detector plugin so CWE-style security
  rules are enforced alongside the existing bug-pattern checks
- New CodeQL workflow runs security-extended + security-and-quality queries
  on push, PR, and weekly schedule
- CycloneDX Maven plugin generates per-module CycloneDX 1.6 BOMs
  (bom.json + bom.xml) attached as artifacts during the package phase
- Release workflow generates GitHub build-provenance and SBOM attestations
  for each published jar and uploads SBOMs to the GitHub release
@jcputney jcputney requested a review from Copilot May 5, 2026 23:18
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 5, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR strengthens the repository’s supply-chain security posture by adding automated SAST scanning (SpotBugs + FindSecBugs, plus CodeQL) and generating CycloneDX SBOMs that are then used to create GitHub supply-chain attestations during releases.

Changes:

  • Configure SpotBugs to run the FindSecBugs detector plugin (security-focused SpotBugs rules).
  • Add CycloneDX SBOM generation (CycloneDX 1.6, JSON+XML) during the Maven package phase for each module.
  • Extend the release workflow to generate build provenance + SBOM attestations and upload SBOMs as release assets; add a new CodeQL workflow for security scanning.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pom.xml Adds FindSecBugs to SpotBugs configuration and centralizes CycloneDX plugin configuration/version via pluginManagement.
mjml-java-core/pom.xml Enables CycloneDX plugin for the core module so per-module SBOMs are produced.
mjml-java-resolvers/pom.xml Enables CycloneDX plugin for the resolvers module so per-module SBOMs are produced.
mjml-java-spring/pom.xml Enables CycloneDX plugin for the spring module so per-module SBOMs are produced.
.github/workflows/release.yml Adds build provenance + SBOM attestations and uploads SBOM artifacts to the GitHub Release.
.github/workflows/codeql.yml Adds a CodeQL workflow running security-extended and security-and-quality query suites on push/PR and a weekly schedule.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pom.xml Outdated
<configuration>
<projectType>library</projectType>
<schemaVersion>1.6</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
@claude
ci: omit CycloneDX BOM serial number for reproducible SBOMs
0675362 
The serial number was a per-build UUID that made bom.json/bom.xml diff on
every build even when dependencies didn't change. Disabling it makes SBOMs
reproducible across builds, so attestations are stable and review diffs
only show real dependency changes.
@jcputney jcputney requested a review from Copilot May 5, 2026 23:30
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

ci core dependencies resolvers spring

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jcputney @github-advanced-security @claude