This repository uses GitHub's dependency graph to automatically build an SBOM in SPDX 2.3 format. It supports the same ecosystems as the dependency graph. If you need support for a different set of formats, we recommend having a look at the Microsoft SBOM Tool, or Anchore's Syft.
You can add this Action to a GitHub Actions workflow by adding the following YAML to a workflow file. This publishes the SBOM as an artifact in the Actions workflow run.
name: SBOM Generator
on:
push:
branches: [ "main" ]
workflow_dispatch:
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: advanced-security/[email protected]
id: sbom
env:
GITHUB_TOKEN: ${{ github.token }}
- uses: actions/[email protected]
with:
path: ${{steps.sbom.outputs.fileName }}
name: "SBOM"- Clone this repository to your local machine.
- Change to that directory and run
npm install -g .to install this CLI locally - Run
sbom-generator "githubtoken" "owner/name"where githubtoken is a legacy GitHub token with repository read permission and owner/name matches a GitHub repository. Alternatively, this script will automatically populate those values from theGITHUB_TOKENandGITHUB_REPOSITORYenvironment variables.
This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.