Add: Add a job to build and push SBOM with trivy

Author: JessicaWu1

.github/workflows/push.yml

@@ -94,3 +94,36 @@ jobs:
           repository: "greenbone/automatix"
           workflow: "push.yml"
           inputs: '{"service": "${{ matrix.service }}", "image-url": "${{ matrix.image-url }}", "digest": "${{ matrix.digest }}", "version": "${{ matrix.version }}"}'
+
+  generate-and-push-sbom-trivy:
+    # generate and push SBOM only on tag pushes (releases)
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on:
+      - self-hosted
+      - self-hosted-generic
+      - self-hosted-generic-vm-amd64
+    needs: push-postgres
+    steps:
+      - name: Scan image in a private registry
+        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.31.0
+        env:
+          TRIVY_USERNAME: ${{ secrets.GREENBONE_BOT_USERNAME }}
+          TRIVY_PASSWORD: ${{ secrets.GREENBONE_BOT_TOKEN }}
+        with:
+          image-ref: "${{ vars.IMAGE_REGISTRY}}/${{ github.repository}}:${{ github.ref_name }}"
+          scan-type: image
+          format: 'cyclonedx'
+          output: 'management-console-backend.${{ github.ref_name }}.sbom.json'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+          severity: "CRITICAL"
+      - name: Push and sign artifact
+        uses: greenbone/actions/[email protected]
+        with:
+          artifact-file: "management-console-backend.${{ github.ref_name }}.sbom.json"
+          artifact-url: "${{ vars.GREENBONE_REGISTRY }}/opensight-management-console-dev/management-console-backend-sbom:${{ github.ref_name }}"
+          artifact-folder: ${{ github.workspace }}
+          registry-user: ${{ secrets.GREENBONE_REGISTRY_USER }}
+          registry-domain: ${{ vars.GREENBONE_REGISTRY }}
+          registry-token: ${{ secrets.GREENBONE_REGISTRY_TOKEN }}
+          cosign-key: ${{ secrets.COSIGN_KEY_OPENSIGHT }}
+          cosign-password: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }}