Skip to content
play

GitHub Action

sbom.sh-create

v1.1 Latest version

sbom.sh-create

play

sbom.sh-create

SBOM.sh - Generate and upload SBOM to sbom.sh using Trivy, Syft, or Grype

Installation

Copy and paste the following snippet into your .yml file.

              

- name: sbom.sh-create

uses: codenotary/sbom.sh-create@v1.1

Learn more about this action in codenotary/sbom.sh-create

Choose a version

sbom.sh-create

SBOM.sh container and repository SBOM generation & sharing + vulnerability scan using Grype, Syft or Trivy provided as a GitHub Action

SBOM.sh GitHub Action

This GitHub Action integrates with sbom.sh to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the codenotary/sbom.sh container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft.

Features

  • Generate SBOMs for filesystems and container images.
  • Support for multiple scanning tools (Trivy, Grype, Syft).
  • Upload SBOMs directly to sbom.sh and obtain a shareable URL.
  • Optional vulnerability scanning and SBOM score calculation at sbom.sh.

Workflow Dispatch Options

This action can be triggered manually using the workflow_dispatch event. You can provide the following inputs:

  • scan_type: The type of scan to perform, such as trivyfs, trivyimage, grypefs, grypeimage, syftfs, or syftimage.
  • target: The target for the scan, which is applicable for image scans.

When you navigate to the Actions tab of your GitHub repository, you will see an option to "Run workflow". You can select the branch you want to run the workflow on and provide the required inputs.

Usage

To use this action, add the following to your .github/workflows directory in a file like sbom-analysis.yml:

name: "Generate and Upload SBOM"

on: [push, pull_request, workflow_dispatch]

jobs:
  generate_sbom:
    runs-on: ubuntu-latest
    name: "SBOM Generation"
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
      
      - name: Generate SBOM
        id: sbom_generation
        uses: codenotary/sbom.sh-create@main
        with:
          scan_type: 'grypefs'
          target: '.' # Assuming you want to scan the entire repository

      - name: Output SBOM URL
        run: echo "The SBOM can be found at $SBOM_SHARE_URL"

Inputs

  • scan_type: Type of scan (trivyfs, trivyimage, grypefs, grypeimage, syftfs, syftimage).
  • target: Scan target (applicable for image scans).

About sbom.sh

sbom.sh is a service that allows you to generate a valid Software Bill-of-Materials (SBOM) in CycloneDX or SPDX format. It provides a centralized platform to store SBOMs and facilitates better tracking and analysis of your software components.

For detailed documentation on the sbom.sh service and GitHub Action, visit https://sbom.sh or https://hub.docker.com/repository/docker/codenotary/sbom.sh/general.

License

This GitHub Action and corresponding scripts are released under the Apache2 License. See LICENSE for details.

Contributing

Contributions are welcome!