GitHub SBOM(s) Generator Action
This GitHub Action and/or standalone CLI application generates a Software Bill of Materials (SBOM) for a given GitHub repository or a list of repositories, using the GitHub Dependency Graph API. The Software Bill of Materials that is generated based on the SPDX specification and is saved in JSON format. The GitHub Action is a composite action that you can easily integrate in your existing workflows.
Usage
There are two ways to use this repository. One way is to use it as a composite GitHub action, the other is to use it as a standalone commandline application. Both ways are explained below.
Usage GitHub Action
To use this composite action in your workflow, you can include the following step in your workflow YAML file:
- name: Generate GitHub SBOMs
uses: brend-smits/github-sbom-generator-action@<tag-or-branch>
with:
repo_list_path: <path-to-repo-list-file>
save_directory_path: <path-to-save-directory>
github_token: ${{ secrets.GITHUB_TOKEN }}
Replace <tag-or-branch> with the specific tag or branch of the composite action that you want to use, <path-to-repo-list-file> with the path to a file containing a list of repository names, and <path-to-save-directory> with the path to the directory where you want to save the retrieved SBOMs. Also, make sure to provide the GITHUB_TOKEN secret in your workflow to authenticate with the GitHub API.
The composite action requires the following input:
repoListPath: The path to a file containing a list of repository names to retrieve SBOMs for.saveDirectoryPath: The path to the directory where the retrieved SBOMs will be saved.token: The GitHub API token for authentication.
The composite action produces no outputs.
Example
Here's an example of how you can use the composite action in your workflow:
name: Retrieve SBOMs
on:
push:
branches:
- main
jobs:
retrieve-sboms:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Retrieve GitHub SBOMs
uses: brend-smits/[email protected] # x-release-please-version
with:
repo_list_path: gh-repos.txt
save_directory_path: sboms
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Upload all sboms
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
with:
name: all-repos-sboms
path: sboms
This workflow retrieves SBOMs for repositories listed in the gh-repos.txt file and saves them to a sboms directory.
Usage CLI Application
Please refer to CONTRIBUTING.md on how to build and run the application locally. There is currently no binary that is distributed yet.
Usecases
Having the ability to retrieve (all) SBOM(s) from an organization in e.g. a central repository allows you to do all sorts of fun things like:
- License checking
- Metrics
- Security checks
- Compliancy checks with Continuous Compliance
State
⚠️ Experimental!
This application/action is new and still undergoing testing. Feel free to give it a try and give suggestions or feedback by creating a new GitHub Issue.
2 Aug 9, 2022
2 Dec 15, 2022
30 Dec 22, 2022
5.2k Jan 5, 2023
215 Jan 4, 2023
10 Dec 13, 2022
57 Feb 22, 2023
11 Mar 19, 2023
5 Sep 15, 2022
80 Sep 8, 2022
3 Sep 9, 2023
10 Dec 11, 2022
54 Dec 20, 2022
65 Nov 2, 2022
1 Jan 10, 2022
50 Dec 23, 2022
11 Aug 17, 2022
54 Sep 12, 2022