{"id":48815900,"url":"https://github.com/nginx/compliance-rules","last_synced_at":"2026-04-14T11:01:02.097Z","repository":{"id":350255254,"uuid":"1203675105","full_name":"nginx/compliance-rules","owner":"nginx","description":"Rules for SCA and SAST scans","archived":false,"fork":false,"pushed_at":"2026-04-09T14:36:14.000Z","size":13197,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-09T16:10:45.742Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nginx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-07T09:04:39.000Z","updated_at":"2026-04-09T14:36:26.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/nginx/compliance-rules","commit_stats":null,"previous_names":["nginx/compliance-rules"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/nginx/compliance-rules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nginx%2Fcompliance-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nginx%2Fcompliance-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nginx%2Fcompliance-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nginx%2Fcompliance-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nginx","download_url":"https://codeload.github.com/nginx/compliance-rules/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nginx%2Fcompliance-rules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31793225,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T02:24:21.117Z","status":"ssl_error","status_checked_at":"2026-04-14T02:24:20.627Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-14T11:00:56.098Z","updated_at":"2026-04-14T11:01:02.083Z","avatar_url":"https://github.com/nginx.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Compliance-rules\n\n## SBOM Workflows\n\n[![Agent SBOM from source code](https://github.com/nginx/compliance-rules/actions/workflows/sbom-src-agent.yml/badge.svg)](https://github.com/nginxinc/compliance-rules/actions/workflows/sbom-src-agent.yml)\n[![NGF SBOM from source code](https://github.com/nginx/compliance-rules/actions/workflows/sbom-src-ngf.yml/badge.svg)](https://github.com/nginxinc/compliance-rules/actions/workflows/sbom-src-ngf.yml)\n[![NIC SBOM from source code](https://github.com/nginx/compliance-rules/actions/workflows/sbom-src-nic.yml/badge.svg)](https://github.com/nginxinc/compliance-rules/actions/workflows/sbom-src-nic.yml)\n\n---\n\nCompliance repo with main rules for SCA and SAST scan\n\nThis repository provides common GitHub Actions and GitHub workflows for code scans and generating SBOM documents.\n\n## Table of Content\n\n- [Configure Mend workflow](#configure-mend-workflow-in-a-github-repository)\n- [Configure CodeQL workflow](#configure-codeql-workflow-in-a-github-repository)\n- [Configure Assertion Document workflow](#configure-assertion-document-workflow)\n- [Configure SBOM workflow for Go projects](#sbom-documents-for-go-projects)\n\n\n## Configure Mend workflow in a GitHub repository\n\n- Create `mend.yml` workflow in your project repository\n\n```yaml\nname: Mend\n\non:\n  push:\n    branches:\n      - main\n  pull_request:\n    branches:\n      - main\n  workflow_dispatch:\n    inputs:\n      branch:\n        type: string\n        required: false\n        default: main\n  workflow_call:\n    inputs:\n      branch:\n        type: string\n        required: true\n\npermissions:\n  contents: read\n\njobs:\n  mend:\n    uses: nginxinc/compliance-rules/.github/workflows/mend.yml@\u003cgit_tag\u003e\n    secrets: inherit\n    with:\n      product_name: \u003ccaller_product_name\u003e_${{ github.head_ref || github.ref_name }}\n      project_name: \u003ccaller_project_name\u003e\n```\n\n- In the `mend` job reference the main mend workflow (in this repository)\n\n```yaml\nuses: nginxinc/compliance-rules/.github/workflows/mend.yml@\u003cgit_tag\u003e\n```\n\n- Configure `product_name` and `project_name` variables. They represent caller github repository `product` and `project` name.\n\n```yaml\nproduct_name: \u003ccaller_product_name\u003e_${{ github.head_ref || github.ref_name }}\nproject_name: \u003ccaller_project_name\u003e\n```\n\n### Mend workflow\n\n1. GitHub triggers the mend workflow defined in a project repository (for example `ProjectABC`)\n1. Mend job references mend rules (main `mend.yml`) defined in the workflow in this repository.\n1. Mend scans the `ProjectABC` code and generates vulenerability report.\n1. Depends on the scan (vulnerability) rules defined in the main `mand.yml` the pipeline fails or passes the scan.\n1. The GitHub repository (`ProjectA`) must be configured to reject PRs (prevent from merging with the `main` branch) if the mend pipeline fails.  \n\n## Configure CodeQL workflow in a GitHub repository\n\n- Create `codeql.yml` workflow in your project repository\n\n```yaml\nname: \"CodeQL\"\n\non:\n  push:\n    branches:\n      - main\n  pull_request:\n    branches:\n      - main\n  workflow_dispatch:\n    inputs:\n      branch:\n        type: string\n        required: false\n        default: main\n  workflow_call:\n    inputs:\n      branch:\n        type: string\n        required: true\n\nconcurrency:\n  group: ${{ github.ref_name }}-codeql\n  cancel-in-progress: true\n\npermissions:\n  contents: read\n\njobs:\n  codeql:\n    uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@\u003cgit_tag\u003e\n    with:\n      requested_languages: go\n```\n\n- In the `codeql` job reference the main `codeql` workflow (in this repository)\n\n```yaml\nuses: nginxinc/compliance-rules/.github/workflows/codeql.yml@\u003cgit_tag\u003e\n```\n\n### CodeQL workflow\n\n1. GitHub triggers the CodeQL workflow defined in a project repository (for example `ProjectABC`)\n1. CodeQL job references `codeql` rules (main `codeql.yml`) defined in the workflow in this repository.\n1. CodeQL analyses the `ProjectABC` code.\n1. Depends on the results the pipeline fails or passes.\n1. The GitHub repository (`ProjectA`) must be configured to reject PRs (prevent from merging with the `main` branch) if the codeql detects issues and the pipeline fails.  \n\n## Configure Assertion Document Workflow\n\n### Data flow\n\n![assertion](img/assertion-action.png)\n\n#### GitHub Action Assertion - Configuration\n\nIn your project release workflow add a step for generating the assertion document.\n\nThe assertion action require input var `build-content-path` that represents a text file with content from the `go version -m \u003cbinary\u003e` command where `binary` represents compiled Go binary, for example `agent`.\n\nThe full list of required variables:\n\n- `artifact-name` - unique name of the binary built in the pipeline\n- `artifact-digest` - calculated digest\n- `build-type` - github or gitlab\n- `builder-id` - github.com\n- `builder-version`\n- `invocation-id` - unique id for the build pipeline\n- `artifactory-user` - `ARTIFACTORY_USER` stored in github org secrets (`secrets.ARTIFACTORY_USER`)\n- `artifactory-api-token` - `ARTIFACTORY_TOKEN` stored in github org secrets (`secrets.ARTIFACTORY_TOKEN`)\n- `artifactory-url` - `ARTIFACTORY_URL` stored in github org secrets (`secrets.ARTIFACTORY_URL`)\n- `artifactory-repo` - Artifactory repository used for pulling build dependencies - for example `f5-nginx-go-local-approved-dependency`\n- `assertion-doc-file` - file generated by the action `assertion_${{ unique identifier }}.json`\n- `build-content-path` - file containing output from `go version -m` command executed against the binary\n- `started-on` - start time\n- `finished-on` - end time\n- `log-level` - setup log level for assertion action. Default value: `INFO`. Allowed values `DEBUG`, `WARN`, `ERROR`.\n\nAfter successful run the action produces an assertion document in JSON format. The Sign Action takes the document, signes it, and stores in GitHub storage.\n\nExample:\n\n```yaml\n- name: Generate Assertion Document\n  id: assertiondoc\n  uses: nginxinc/compliance-rules/.github/actions/assertion@\u003cgit-tag\u003e\n  with:\n    artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}\n    artifact-digest: ${{ matrix.gateway.digest }}\n    build-type: 'github'\n    builder-id: 'github.com'\n    builder-version: '0.1.0-xyz'\n    invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}\n    artifactory-user: ${{ secrets.ARTIFACTORY_USER }}\n    artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}\n    artifactory-url: ${{ secrets.ARTIFACTORY_URL }}\n    artifactory-repo: 'f5-nginx-go-local-approved-dependency'\n    assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json\n    build-content-path: ${{ steps.godeps.outputs.goversionm }}\n    started-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}\n    finished-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}\n    log-level: 'DEBUG'\n```\n\n#### GitHub Action Sign - Configuration\n\nThe `Sign` action takes a path to the generated assertion document, signs it, and stores signed doc in GitHub.\n\nThe list of required variables:\n\n- `assertion-doc` - path to the file generated by the `Assertion` GH Action - (`assertion-doc-file`)\n\nExample:\n\n```yaml\n- name: Sign and Store Assertion Document\n  id: sign\n  uses: nginxinc/compliance-rules/.github/actions/sign@\u003cgit-tag\u003e\n  with:\n    assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}\n```\n\n## SBOM documents for Go projects\n\nThis section describes how to configure GitHub workflows to generate SBOM documents for both Go binaries and Go source code.\n\nSBOMs generated for a binary are intended for customers, while SBOM documents generated from source code for internal use.\n\n### Generating SBOM for Go binary\n\nTo generate SBOMs for Go binaries use GitHub Action [sbom](https://github.com/nginxinc/compliance-rules/tree/main/.github/actions/sbom).\n\n#### Configuration\n\nThe code snippet below illustrates how to include SBOM step in GitHub workflow and what parameters to pass to the action.\n\nYou can reference version of the SBOM Action by using `sha` (`git_ref` in the example below) and adding a comment with corresponding git tag, for example:\n\n```shell\nuses: nginxinc/compliance-rules/.github/actions/sbom@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1\n```\n\nBelow if the full example of the GitHub workflow step that generates SBOM document for the Go binary. The path to the binary is assigned to the `binary-name` variable.\n\n```yaml\n- name: Generate SBOM from binary\n  uses: nginxinc/compliance-rules/.github/actions/sbom@\u003cgit_ref\u003e # \u003cgit_tag\u003e\n  with:\n    binary-name: ${{ steps.check.outputs.binary-path }}\n    product-name: ${{ github.event.repository.name }}\n    release-version: ${{ github.ref_name }}\n    artifactory-user: ${{ secrets.ARTIFACTORY_USER }}\n    artifactory-token: ${{ secrets.ARTIFACTORY_TOKEN }}\n    az-vault-client-id: ${{ secrets.AZ_VAULT_SEC_CLIENT_ID }}\n    az-vault-tenant-id: ${{ secrets.AZ_VAULT_SEC_TENANT_ID }}\n    az-vault-subscription-id: ${{ secrets.AZ_VAULT_SEC_SUBSCRIPTION_ID }}\n```\n\nwhere:\n\n- `git_ref` can be sha, git tag or branch\n- `git_tag` is a git tag corresponding to the sha\n\nThe `sbom` action expects the following parameters:\n\n- `binary-name` - path to the Go binary created in previous step(s)\n- `product-name` - usually it's git repository name (wihout the organization name), for example `agent`\n- `release-version` - git tag, for example `v1.2.2`, or release branch name, for example `release-1.2.2`\n- `artifactory-user` - secrets.ARTIFACTORY_USER\n- `artifactory-token` - secrets.ARTIFACTORY_TOKEN\n\nNGINX Security Team specific secrets set at the repository level:\n\n- `az-vault-client-id` - secrets.AZ_VAULT_SEC_CLIENT_ID\n- `az-vault-tenant-id` - secrets.AZ_VAULT_SEC_TENANT_ID\n- `az-vault-subscription-id` - secrets.AZ_VAULT_SEC_SUBSCRIPTION_ID\n\n### Generating SBOM for Go source code\n\nTo generate SBOMs for Go source code use GitHub Action [sbom-source](https://github.com/nginxinc/compliance-rules/tree/main/.github/actions/sbom-source).\n\nYou can reference version of the SBOM Action by using `sha` (`git_ref` in the example below) and adding a comment with corresponding git tag, for example:\n\n```shell\nuses: nginxinc/compliance-rules/.github/actions/sbom-source@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1\n```\n\n```yaml\n- name: Generate SBOM from source code\n  uses: nginxinc/compliance-rules/.github/actions/sbom-source@\u003cgit_ref\u003e # \u003cgit_tag\u003e\n  with:\n    product-name: ${{ github.event.repository.name }}\n    release-version: ${{ github.ref_name }}\n    artifactory-user: ${{ secrets.ARTIFACTORY_USER }}\n    artifactory-token: ${{ secrets.ARTIFACTORY_TOKEN }}\n    az-vault-client-id: ${{ secrets.AZ_VAULT_SEC_CLIENT_ID }}\n    az-vault-tenant-id: ${{ secrets.AZ_VAULT_SEC_TENANT_ID }}\n    az-vault-subscription-id: ${{ secrets.AZ_VAULT_SEC_SUBSCRIPTION_ID }}\n```\n\nwhere:\n\n- `git_ref` can be sha, git tag or branch\n- `git_tag` is a git tag corresponding to the sha\n\nThe `sbom-source` action expects the following parameters:\n\n- `product-name` - usually it's git repository name (wihout the organization name), for example `agent`\n- `release-version` - git tag, for example `v1.2.2`, or release branch name, for example `release-1.2.2`\n- `artifactory-user` - secrets.ARTIFACTORY_USER\n- `artifactory-token` - secrets.ARTIFACTORY_TOKEN\n\nNGINX Security Team specific secrets set at the repository level:\n\n- `az-vault-client-id` - secrets.AZ_VAULT_SEC_CLIENT_ID\n- `az-vault-tenant-id` - secrets.AZ_VAULT_SEC_TENANT_ID\n- `az-vault-subscription-id` - secrets.AZ_VAULT_SEC_SUBSCRIPTION_ID\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnginx%2Fcompliance-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnginx%2Fcompliance-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnginx%2Fcompliance-rules/lists"}