Add manifest-cyber-upload job
Description
Addresses Issue #2090
Added new manifest-cyber-upload
job to 4-findings
stage.
This job takes the CycloneDX SBOM outputted from the anchore-scan
job and uploads it to Manifest Cyber for analysis. The job outputs a vulnerability report in JSON format.
New CICD vars:
ENABLE_MANIFEST_CYBER
- toggle for the job
MANIFEST_CYBER_TOKEN
- API token for interacting with Manifest Cyber.
Multiple Manifest Cyber API routes are used to retrieve all data for a particular vulnerability. This can probably be refactored once Manifest Cyber releases the /dependency/stackByVulnerability?assetId=your-asset-id&cveId=all
endpoint (it's currently in pre-release and unavailable to the public).
Sample Manifest Cyber Vulnerability report
Risk
Minimal risk. The manifest-cyber-upload
job is allowed to fail in the pipeline and only runs when enabled by ENABLE_MANIFEST_CYBER
.
Rollback Plan
Disable the manifest-cyber-upload
job by setting ENABLE_MANIFEST_CYBER
env var to an empty string.