{"id":30007614,"url":"https://github.com/octopusdeploy/upload-sbom-go","last_synced_at":"2026-03-05T02:12:07.999Z","repository":{"id":306169891,"uuid":"1024589493","full_name":"OctopusDeploy/upload-sbom-go","owner":"OctopusDeploy","description":"| Public | Simple CLI tool to upload SBOMs to Dependency Track","archived":false,"fork":false,"pushed_at":"2026-03-02T04:19:50.000Z","size":72,"stargazers_count":0,"open_issues_count":3,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-02T07:06:33.621Z","etag":null,"topics":["public"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OctopusDeploy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-23T00:27:48.000Z","updated_at":"2026-03-02T03:00:13.000Z","dependencies_parsed_at":"2026-03-02T05:01:51.088Z","dependency_job_id":null,"html_url":"https://github.com/OctopusDeploy/upload-sbom-go","commit_stats":null,"previous_names":["octopusdeploy/upload-sbom-go"],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/OctopusDeploy/upload-sbom-go","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OctopusDeploy%2Fupload-sbom-go","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OctopusDeploy%2Fupload-sbom-go/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OctopusDeploy%2Fupload-sbom-go/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OctopusDeploy%2Fupload-sbom-go/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OctopusDeploy","download_url":"https://codeload.github.com/OctopusDeploy/upload-sbom-go/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OctopusDeploy%2Fupload-sbom-go/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30106446,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T01:39:18.192Z","status":"online","status_checked_at":"2026-03-05T02:00:06.710Z","response_time":93,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["public"],"created_at":"2025-08-05T08:52:50.953Z","updated_at":"2026-03-05T02:12:07.993Z","avatar_url":"https://github.com/OctopusDeploy.png","language":"Go","readme":"# Upload SBOM Go\n\nUploads SBOM data to a [Dependency-Track](https://dependencytrack.org) instance.\n\n## Input Variables\n\n| Flag | Env Var | Description |\n|-----------|-----------------------|---------------------------------------------------------|\n| --url | SBOM_UPLOADER_URL | Dependency-Track API base URL |\n| --api-key | SBOM_UPLOADER_API_KEY | Dependency-Track API key |\n| --name | SBOM_UPLOADER_NAME | Project name for Dependency Track |\n| --version | SBOM_UPLOADER_VERSION | Project version for Dependency Track |\n| --parent | SBOM_UPLOADER_PARENT | Parent project for Dependency Track |\n| --tags | SBOM_UPLOADER_TAGS | Comma-separated project tags |\n| --latest | | Mark as latest version (default true) |\n| --sbom | | Path to SBOM file (optional; otherwise read from stdin) |\n\n## Building\n\n### Go\n\n`go build .`\n\n### Docker\n\n`docker pull ghcr.io/octopusdeploy/upload-sbom-go:latest`\nor build\n`docker build -t upload-sbom .`\n\n## Usage\n\n### CLI\n\n```shell\n./upload-sbom-go \nUsage:\n sbom-uploader [flags]\n\nFlags:\n --api-key string Dependency-Track API key or env SBOM_UPLOADER_API_KEY\n -h, --help help for sbom-uploader\n --latest Mark as latest version (default true) (default true)\n --name string Project name or env SBOM_UPLOADER_NAME\n --parent string Parent project name or env SBOM_UPLOADER_PARENT\n --sbom string Path to SBOM file (optional; otherwise read from stdin)\n --tags string Comma-separated project tags or env SBOM_UPLOADER_TAGS\n --url string Dependency-Track API base URL or env SBOM_UPLOADER_URL\n --version string Project version or env SBOM_UPLOADER_VERSION\n```\n\n### Docker Volume Mount\n\nWhen using Docker the SBOM file should be mounted as a volume mount.\n\n```shell\nls bom.json # Sbom file locally on filesystem\ndocker run --rm -it \\\n -e SBOM_UPLOADER_API_KEY=\"SBOM_UPLOADER_API_KEY\" \\\n --mount \"type=bind,src=$(pwd),target=/tmp\" \\\n ghcr.io/octopusdeploy/upload-sbom-go:latest \\\n --url \"https://dependencytrack-api.local\" \\\n --version \"0.0.1\" --tags \"tag1,tag2\" --parent \"parentname\" \\\n --name \"projectname\" \\\n --latest --sbom /tmp/bom.json\n```\n\n### Docker ENV Vars\n\nEnv vars can be stored in a file and passed in using the `env-file` argument.\n\nEnv File `.env`:\n\n```ini\nSBOM_UPLOADER_URL=https://dependencytrack-api.local\nSBOM_UPLOADER_API_KEY=FOOBAR\nSBOM_UPLOADER_NAME=projectname\nSBOM_UPLOADER_VERSION=0.0.1\nSBOM_UPLOADER_PARENT=parentname\nSBOM_UPLOADER_TAGS=tag1,tag2\n```\n\nRunning Docker:\n\n```shell\ndocker run --rm -it --env-file=.env -v $(pwd):/tmp upload-sbom --sbom /tmp/bom.json\n```\n\n## GitHub Actions\n\nMake sure to generate a SBOM file before using this step. The `is-latest` flag should be set to `true` or `false`, likely based on if the branch is `main`.\n\nUsage:\n\n```yaml\n steps:\n - uses: actions/checkout@v4\n\n - name: Generate SBOM with Trivy\n uses: aquasecurity/trivy-action@0.32.0\n with:\n format: 'cyclonedx'\n scan-type: 'fs'\n scan-ref: '.'\n output: 'bom.json'\n\n - name: Upload SBOM to Dependency Track\n uses: OctopusDeploy/upload-sbom-go@v1.0.0\n with:\n dependency-track-url: ${{ secrets. }}\n dependency-track-key: ${{ secrets. }}\n project-name: my-project\n project-version: 0.0.0\n parent-name: my-parent\n is-latest: true\n project-tags: tag1,tag2\n sbom-file: \"bom.json\"\n```\n\n## Dependency Track API Key\n\nWhen creating a Dependency Track API key the permissions required are as follows:\n\n- PROJECT_CREATION_UPLOAD\n - _Required for creating the project._\n- BOM_UPLOAD\n - _Required for uploading the SBOM._\n\n## Common Errors\n\n### HTTP 403 upload failed\n\nIf you encounter an HTTP `403` error this means your API key does not have the appropriate access. See (Dependency Track API Key) above.\n\n```text\nExecution failed: upload failed (403): \nError: Process completed with exit code 1.\n```\n\n### HTTP 404 upload failed\n\nIf your action runs into an HTTP `404` error it is because the parent project does not exist. You must manually create a parent project in Dependency Track first.\n\n```text\nError: upload failed (404): The parent component could not be found.\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foctopusdeploy%2Fupload-sbom-go","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foctopusdeploy%2Fupload-sbom-go","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foctopusdeploy%2Fupload-sbom-go/lists"}