{"id":18941402,"url":"https://github.com/mchmarny/sbomer","last_synced_at":"2026-03-23T18:30:16.485Z","repository":{"id":159464540,"uuid":"591470945","full_name":"mchmarny/sbomer","owner":"mchmarny","description":"Generates daily SBOM and vulnerability reports for container images and saves resulting files into GCS bucket and data into BigQuery tables.","archived":false,"fork":false,"pushed_at":"2023-06-21T18:10:29.000Z","size":28182,"stargazers_count":1,"open_issues_count":3,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-12-31T22:42:46.706Z","etag":null,"topics":["bigquery","gcp","gcs","grype","report","sbom","syft","vex","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mchmarny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-20T20:53:57.000Z","updated_at":"2023-05-21T07:39:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"b9dafac1-73f4-47ba-ac55-661037428206","html_url":"https://github.com/mchmarny/sbomer","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fsbomer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fsbomer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fsbomer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mchmarny%2Fsbomer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mchmarny","download_url":"https://codeload.github.com/mchmarny/sbomer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239940366,"owners_count":19722009,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bigquery","gcp","gcs","grype","report","sbom","syft","vex","vulnerability"],"created_at":"2024-11-08T12:27:53.800Z","updated_at":"2026-03-23T18:30:16.441Z","avatar_url":"https://github.com/mchmarny.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sbomer \n\nGenerates daily SBOM (using [syft](https://github.com/anchore/syft)) and vulnerability reports (using [grype](https://github.com/anchore/grype)) for local list of images ([images](./images)), and N number of [most popular community images](https://hub.docker.com/api/content/v1/products/search?page=1\u0026page_size=20\u0026q=%2B\u0026source=community\u0026type=image%2Cbundle) on [Docker Hub](https://hub.docker.com/). The resulting files are saved to GCS bucket, and data is imported into BigQuery tables. GCP authentication implemented using [OIDC](https://cloud.google.com/identity-platform/docs/web/oidc). \n\n![](images/vuln-dash.png)\n\n## setup \n\nTo setup your own instance of `sbomer` first, fork this repo and clone it locally. Next, deploy the service account, GCS bucket, and OIDC provider to your GCP project: \n\n\n```shell\nmake setup\n```\n\nWhen prompted, provide the two required parameters: \n\n* `project_id` - the ID of your GCP project (e.g. `your-project-id`)\n* `git_repo` - the name of your forked github repo (e.g. `your-github-username/your-repo-name`)\n\n\u003e The defaults for optional parameters are defined in [setup/variables.tf](setup/variables.tf).\n\nThe output will include the parameters you will need to update in [.github/workflows/process.yaml](.github/workflows/process.yaml). Find the `auth_provider`, `auth_account`, and `target_bucket` environment variables and update them with the `PROVIDER`, `ACCOUNT`, and `BUCKET` using values provided from the setup respectively:\n\n```yaml\nenv:\n  auth_provider: \"\u003cPROVIDER\u003e\"\n  auth_account: \"\u003cACCOUNT\u003e\"\n  target_bucket: \"\u003cBUCKET\u003e\"\n```\n\nThe workflow is currently set to execute multiple times a day. If you want change that, alter the schedule at the top of [.github/workflows/list.yaml](.github/workflows/list.yaml). \n\n```yaml\non:\n  schedule:\n    - cron: '0 */5 * * *'\n```\n\nTo test, simply commit your changes and push upstream. In addition to the above described schedule, the workflow will also execute on each main branch push or PR. \n\n## on-demand process\n\nYou can also execute the `process` workflow manually for any publicly accessible container image using either GitHub CLI (`gh`) or `curl`. For example, to generate SBOM and vulnerability report for the `redis` image using either of these options:\n\n### gh\n\n\u003e Instructions on how to install GitHub CLI are located [here](https://cli.github.com/manual/installation).\n\n```shell\ngh workflow run .github/workflows/process.yaml -f image=\"redis\"\n```\n\n### curl \n\n```shell\ncurl \\\n  -X POST \\\n  -H \"Accept: application/vnd.github.v3+json\" \\\n  -H \"Authorization: token $GITHUB_ACCESS_TOKEN\" \\\n  https://api.github.com/repos/$ORG/$REPO/actions/workflows/process.yaml/dispatches \\\n  -d '{\"ref\":\"main\", \"inputs\": { \"image\":\"redis\" }}'\n```\n\n## data\n\nThe data from SBOM and vulnerability report for each image is saved into two tables in BigQuery:\n\n### pkg \n\nThe [setup/schema/pkg.json](setup/schema/pkg.json) file containers complete schema used to create `pkg` table.\n\n| field | type  | required |\n| ----- | ----- | ------- |\n| src_img\t| STRING | Y |\n| pkg_id\t| STRING |\tY |\t\t\t\n| gen_day\t| STRING |\tY |\t\t\t\n| gen_time\t| STRING |\tY |\t\t\t\n| gen_by\t| STRING |\tY |\t\t\t\n| pkg_name\t| STRING |\tY |\t\t\t\n| pkg_version\t| STRING |\tY |\t\t\t\n| pkg_license\t| STRING |\tY |\t\t\t\n| ref_cat\t| STRING |\tY |\t\t\t\n| ref_type\t| STRING |\tY |\t\t\t\n| ref_locator\t| STRING |\tY |\n\n### vul \n\nThe [setup/schema/vul.json](setup/schema/vul.json) file containers complete schema used to create `vul` table.\n\n| field | type  | required |\n| ----- | ----- | ------- |\n| src_img\t| STRING |\tY |\t\t\t\n| src_sha\t| STRING |\tY |\n| gen_day\t| STRING |\tY |\t\t\n| vul_id\t| STRING |\tY |\t\t\n| vul_src\t| STRING |\tY |\t\t\n| vul_sev\t| STRING |\tY |\t\n| vul_state\t| STRING |\tY |\t\t\n| art_name\t| STRING |\tY |\t\t\n| art_version\t| STRING |\tY |\t\t\n| arg_lang\t| STRING |\tY |\t\t\n| art_purl\t| STRING |\tY |\n\n## cleanup\n\nTo delete all the resources created by Terraform in your GCP project: \n\n```shell\nmake destroy\n```\n\n## disclaimer\n\nThis is my personal project and it does not represent my employer. While I do my best to ensure that everything works, I take no responsibility for issues caused by this code.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchmarny%2Fsbomer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmchmarny%2Fsbomer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmchmarny%2Fsbomer/lists"}