{"id":18436066,"url":"https://github.com/codenotary/sbom.sh-create","last_synced_at":"2026-03-19T04:22:58.238Z","repository":{"id":206440670,"uuid":"716639472","full_name":"codenotary/sbom.sh-create","owner":"codenotary","description":"SBOM.sh container analysis and scan using Grype provided as a GitHub Action","archived":false,"fork":false,"pushed_at":"2023-11-20T07:18:50.000Z","size":36,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-31T21:49:16.829Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/codenotary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-11-09T14:59:48.000Z","updated_at":"2025-01-27T20:22:19.000Z","dependencies_parsed_at":"2023-11-20T08:32:23.865Z","dependency_job_id":null,"html_url":"https://github.com/codenotary/sbom.sh-create","commit_stats":null,"previous_names":["codenotary/sbom.sh-create"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/codenotary/sbom.sh-create","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codenotary%2Fsbom.sh-create","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codenotary%2Fsbom.sh-create/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codenotary%2Fsbom.sh-create/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codenotary%2Fsbom.sh-create/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/codenotary","download_url":"https://codeload.github.com/codenotary/sbom.sh-create/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codenotary%2Fsbom.sh-create/sbom","scorecard":{"id":297088,"data":{"date":"2025-08-11","repo":{"name":"github.com/codenotary/sbom.sh-create","commit":"46f6b76f73dfe69fb8c6346e7621568ccb928eab"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-17T19:49:03.032Z","repository_id":206440670,"created_at":"2025-08-17T19:49:03.032Z","updated_at":"2025-08-17T19:49:03.032Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29667880,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-20T23:24:07.480Z","status":"ssl_error","status_checked_at":"2026-02-20T23:24:06.202Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T06:10:13.502Z","updated_at":"2026-02-20T23:40:00.762Z","avatar_url":"https://github.com/codenotary.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# sbom.sh-create\nSBOM.sh container and repository SBOM generation \u0026 sharing + vulnerability scan using Grype, Syft or Trivy provided as a GitHub Action\n# SBOM.sh GitHub Action\n\nThis GitHub Action integrates with [sbom.sh](https://sbom.sh/) to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the `codenotary/sbom.sh` container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft.\n\n## Features\n\n- Generate SBOMs for filesystems and container images.\n- Support for multiple scanning tools (Trivy, Grype, Syft).\n- Upload SBOMs directly to sbom.sh and obtain a shareable URL.\n- Optional vulnerability scanning and SBOM score calculation at sbom.sh.\n\n## Workflow Dispatch Options\n\nThis action can be triggered manually using the `workflow_dispatch` event. You can provide the following inputs:\n\n- `scan_type`: The type of scan to perform, such as `trivyfs`, `trivyimage`, `grypefs`, `grypeimage`, `syftfs`, or `syftimage`.\n- `target`: The target for the scan, which is applicable for image scans.\n\nWhen you navigate to the Actions tab of your GitHub repository, you will see an option to \"Run workflow\". You can select the branch you want to run the workflow on and provide the required inputs.\n\n\n## Usage\n\nTo use this action, add the following to your `.github/workflows` directory in a file like `sbom-analysis.yml`:\n\n```yaml\nname: \"Generate and Upload SBOM\"\n\non: [push, pull_request, workflow_dispatch]\n\njobs:\n  generate_sbom:\n    runs-on: ubuntu-latest\n    name: \"SBOM Generation\"\n    steps:\n      - name: Checkout Repository\n        uses: actions/checkout@v4\n      \n      - name: Generate SBOM\n        id: sbom_generation\n        uses: codenotary/sbom.sh-create@main\n        with:\n          scan_type: 'grypefs'\n          target: '.' # Assuming you want to scan the entire repository\n\n      - name: Output SBOM URL\n        run: echo \"The SBOM can be found at $SBOM_SHARE_URL\"\n\n```\n\n## Inputs\n- `scan_type`: Type of scan (trivyfs, trivyimage, grypefs, grypeimage, syftfs, syftimage).\n- `target`: Scan target (applicable for image scans).\n\n## About sbom.sh\n\nsbom.sh is a service that allows you to generate a valid Software Bill-of-Materials (SBOM) in CycloneDX or SPDX format. It provides a centralized platform to store SBOMs and facilitates better tracking and analysis of your software components.\n\nFor detailed documentation on the sbom.sh service and GitHub Action, visit https://sbom.sh or https://hub.docker.com/repository/docker/codenotary/sbom.sh/general.\n\n## License\nThis GitHub Action and corresponding scripts are released under the Apache2 License. See LICENSE for details.\n\n## Contributing\nContributions are welcome!","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodenotary%2Fsbom.sh-create","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcodenotary%2Fsbom.sh-create","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodenotary%2Fsbom.sh-create/lists"}