Skip to content

SonarSource/gh-action_sbom

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits

.github

.github

 
 

.gitignore

.gitignore

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

Repository files navigation

gh-action_sbom

Action and reusable workflow for Docker SBOM generation from GitHub workflows.

The generation of Software Bill of Material (SBOM) is implemented with Syft and sbom-action.

The SBOM files are signed and eventually attached to the workflow and to the release.

Usage

The BOM file is signed if the upload-artifact parameter is true and the GPG secrets are provided.

GitHub Action

jobs:
  job-calling-action:
    steps:
      - uses: SonarSource/gh-action_sbom@v1
        with:
          image: example/image_name:tag
          filename: bom.json
          upload-artifact: true
          upload-release-assets: true
        env:
          GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
          GPG_PRIVATE_KEY_BASE64: ${{ secrets.GPG_PRIVATE_KEY_BASE64 }}

GitHub Reusable Workflow

⚠️ The strategy property is not supported in any job that calls a reusable workflow. See https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations

jobs:
  job-calling-workflow:
    uses: SonarSource/gh-action_sbom/.github/workflows/workflow.yml@v1
    with:
      image: example/image_name:tag
      filename: bom.json
      upload-artifact: true
      upload-release-assets: true
    secrets:
      GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
      GPG_PRIVATE_KEY_BASE64: ${{ secrets.GPG_PRIVATE_KEY_BASE64 }}

Versioning

Using the versioned semantic tags is recommended for security and reliability.

See GitHub: Using tags for release management and GitHub: Keeping your actions up to date with Dependabot .

For convenience, it is possible to use the branches following the major releases.

Tags

This repository is released following semantic versioning, ie: 1.0.0.

jobs:
  job-calling-workflow:
    uses: SonarSource/gh-action_sbom/.github/workflows/workflow.yml@1.0.0

  job-calling-action:
    steps:
      - uses: SonarSource/gh-action_sbom@1.0.0

Branches

The master branch shall not be referenced by end-users.

Branches prefixed with a v are pointers to the last major versions, ie: v1.

jobs:
  job-calling-workflow:
    uses: SonarSource/gh-action_sbom/.github/workflows/workflow.yml@v1

  job-calling-action:
    steps:
      - uses: SonarSource/gh-action_sbom@v1

Note: use only branches with precaution and confidence in the provider.

Development

The development is done on master and the branch-* maintenance branches.

Release

Create a release from a maintained branches, then update the v* shortcut:

git fetch --tags
git update-ref -m "reset: update branch v1 to tag 1.0.0" refs/heads/v1 1.0.0
git push origin v1

FAQ

Warning Unexpected input

Warning: Unexpected input(s) 'upload-artifact', 'upload-release-assets',
valid inputs are ['path', 'image', 'registry-username', 'registry-password', 'format', 'github-token', 'artifact-name', 'output-file', 'syft-version', 'dependency-snapshot']

The warning can be ignored, see anchore/sbom-action#269

References

Xtranet/RE/Artifact Management#GitHub Actions

Semantic Versioning 2.0.0

GitHub: About Custom Actions

Syft

Syft GitHub Action for SBOM Generation

About

GitHub Action for SBOM generation

Resources

Readme

License

LGPL-3.0 license
Activity
Custom properties

Stars

1 star

Watchers

15 watching

Forks

1 fork
Report repository

Releases 12

1.1.2 Latest
May 5, 2023
+ 11 releases

Contributors 5