Support SBOM format in actions #18918
Unanswered
davidkarlsen
asked this question in
Code Security
Replies: 2 comments 1 reply
-
Support for the CycloneDX standard would be ideal as it’s already supported by the majority of SCA and related security vendors , and has already been standardized upon by GitLab. Support in Actions would provide an easy path forward for many organizations, and provide the Interop they require. |
Beta Was this translation helpful? Give feedback.
1 reply
-
SPDX is another important, and widely used, open-source standard. NTIA has come up with a mapping between the standards, so it may be possible to support both: https://www.ntia.gov/files/ntia/publications/sbom_formats_survey-version-2021.pdf. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
It would be good if the tooling could support SBOM formats: https://anchore.com/sbom/key-things-to-know-about-sboms-and-sbom-standards/
That way you can rely on a standard for software bill of material, rather than having to have implementations for the various languages (like pom.xml etc), sbom tooling already support things like python, maven etc, and thus a bridge for sbom -> github dependency api is all that's needed
https://github.com/CycloneDX/cyclonedx-maven-plugin
https://github.com/anchore/syft
Beta Was this translation helpful? Give feedback.
All reactions