{"id":23421132,"url":"https://github.com/nhsdigital/eps-action-sbom","last_synced_at":"2026-01-07T20:15:06.919Z","repository":{"id":256180803,"uuid":"854495308","full_name":"NHSDigital/eps-action-sbom","owner":"NHSDigital","description":null,"archived":false,"fork":false,"pushed_at":"2024-11-28T11:01:29.000Z","size":540,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-06T20:00:25.796Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NHSDigital.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-09T09:22:17.000Z","updated_at":"2024-11-28T11:01:34.000Z","dependencies_parsed_at":"2024-09-16T09:58:01.742Z","dependency_job_id":"c859a188-35f7-4054-b4b2-7cf8fd288c0c","html_url":"https://github.com/NHSDigital/eps-action-sbom","commit_stats":null,"previous_names":["nhsdigital/eps-action-sbom"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHSDigital%2Feps-action-sbom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHSDigital%2Feps-action-sbom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHSDigital%2Feps-action-sbom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHSDigital%2Feps-action-sbom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NHSDigital","download_url":"https://codeload.github.com/NHSDigital/eps-action-sbom/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248013040,"owners_count":21033294,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-23T02:14:06.926Z","updated_at":"2026-01-07T20:15:06.914Z","avatar_url":"https://github.com/NHSDigital.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# EPS SBOM scanning action\n\n[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=NHSDigital_eps-action-sbom\u0026metric=alert_status)](https://sonarcloud.io/summary/new_code?id=NHSDigital_eps-action-sbom)\n\nThis workflow generates a Software Bill Of Materials (SBOM) for Python and NPM in a project. It also scans these for security vulnerabilities, and reports an error if any are found. Reports are uploaded as artifacts.\n\nUnder the hood, it uses `syft`. The repository's devcontainer is built, the project is installed, and `syft` then scans the whole container to produce a series of SBOM. These are then scanned with `grype`.\n\nSpecific vulnerabilities can be ignored for a repository by adding the issue ID to an ignore file in the relevant repository: `ignored_security_issues.json`, e.g.\n```\n[\n  {\n    \"vulnerability_id\": \"GHSA-4jcv-vp96-94xr\",\n    \"reason\": \"The fix for this vulnerability is planned for the next sprint\"\n  }\n]\n```\n\nThis must be in the root of the project.\n\n## Requirements\n\nWhen used as part of a Github workflow, this action assumes that the workflow has already installed the target project, for example having run a `make install` command. The docker container that the action is being run inside of will be scanned to produce the SBOM.\n\n## Secrets\n\n### `GITHUB_TOKEN`\n\nSome `npm` packages require a github token to access a private repository. This token is assumed to be supplied as a secret, keyed as `GITHUB_TOKEN`. Github should add this automatically.\n\n## Outputs\n\nNone\n\n## Example usage\n\nSimply call the job in a workflow file, after the project is built. For example,\n\n```\nname: SBOM scan PR\n\non:\n  pull_request:\n    branches: [main]\n\njobs:\n  create_sbom:\n    runs-on: ubuntu-latest\n    steps:\n      build_project:\n        run: |\n          make install \n\n      sbom_scans:\n        uses: NHSDigital/eps-action-sbom/.github/workflows/sbom_workflow.yml@\u003cVERSION TAG\u003e\n```\n\n### Pull request quality check failures\n\nIf a pull request fails in the quality checks action on the test job, it is likely that one of no-issues packages now has a vulnerability.   \nTo fix this, in the test/no-issues folder, remove the suffix _no-check from the package file, update the dependency in the file to the latest version and update the lock file for the package (eg npm install, poetry lock). Add back in the suffix and commit and push the change.\n  ","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnhsdigital%2Feps-action-sbom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnhsdigital%2Feps-action-sbom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnhsdigital%2Feps-action-sbom/lists"}