{"id":38804096,"url":"https://github.com/rhyskoedijk/sbom-azure-devops","last_synced_at":"2026-01-17T12:49:07.431Z","repository":{"id":259868024,"uuid":"879506852","full_name":"rhyskoedijk/sbom-azure-devops","owner":"rhyskoedijk","description":"🛠️ Tool for generating SPDX 2.2/2.3 SBOMs from Azure DevOps repository artifacts using https://github.com/microsoft/sbom-tool","archived":false,"fork":false,"pushed_at":"2025-12-19T17:05:47.000Z","size":3189,"stargazers_count":17,"open_issues_count":12,"forks_count":6,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-21T08:53:24.172Z","etag":null,"topics":["azure-devops-extension","inventory","report","risk","sbom","sbom-generator","sbom-tool","security-vulnerability-assessment","software-bill-of-materials","spdx","supply-chain"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rhyskoedijk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-10-28T03:15:08.000Z","updated_at":"2025-12-17T21:09:52.000Z","dependencies_parsed_at":"2024-10-28T14:32:33.828Z","dependency_job_id":"04fcfbfd-deea-47f2-91f3-75ede262cefa","html_url":"https://github.com/rhyskoedijk/sbom-azure-devops","commit_stats":null,"previous_names":["rhyskoedijk/sbom-azure-devops"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/rhyskoedijk/sbom-azure-devops","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhyskoedijk%2Fsbom-azure-devops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhyskoedijk%2Fsbom-azure-devops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhyskoedijk%2Fsbom-azure-devops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhyskoedijk%2Fsbom-azure-devops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rhyskoedijk","download_url":"https://codeload.github.com/rhyskoedijk/sbom-azure-devops/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhyskoedijk%2Fsbom-azure-devops/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28508609,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T11:50:55.898Z","status":"ssl_error","status_checked_at":"2026-01-17T11:50:55.569Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure-devops-extension","inventory","report","risk","sbom","sbom-generator","sbom-tool","security-vulnerability-assessment","software-bill-of-materials","spdx","supply-chain"],"created_at":"2026-01-17T12:49:07.309Z","updated_at":"2026-01-17T12:49:07.417Z","avatar_url":"https://github.com/rhyskoedijk.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SBOM Tool Azure DevOps Extension\r\n\r\nUnofficial Azure DevOps extension for [microsoft/sbom-tool](https://github.com/microsoft/sbom-tool). Sbom-tool runs locally on your pipeline agent without the need for subscriptions, account sign-ups, or shipping your data to a third-party service; All generated manifest files are published directly to your build artifacts and can be viewed in a human-friendly format from the \"SBOM\" build result tab.\r\n\r\nCheck referenced packages for known vulnerabilities against the [GitHub Advisory Database](https://github.com/advisories).\r\n\r\n![example.build.tab.security.png](images/example.build.tab.security.png)\r\n\r\nView referenced packages, including the package manager, type, dependency hierarchy, license, supplier, and vulnerability counts:\r\n\r\n![example.build.tab.packages.png](images/example.build.tab.packages.png)\r\n\r\nView manifest relationships as a network graph or export to SVG.\r\n\r\n![example.manifest.spdx.svg.png](images/example.manifest.spdx.svg.png)\r\n\r\nExport manifest objects to XLSX workbook.\r\n\r\n![example.manifest.spdx.xlsx.png](images/example.manifest.spdx.xlsx.png)\r\n\r\n## Install\r\n\r\nInstall the extension from the [Visual Studio marketplace](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool).\r\n\r\n## Usage\r\n\r\nIn YAML pipelines:\r\n\r\n```yaml\r\njobs:\r\n  - job: publish\r\n    steps:\r\n      - task: DotNetCoreCLI@2\r\n        displayName: 'Publish project'\r\n        inputs:\r\n          command: 'publish'\r\n          publishWebProjects: true\r\n          arguments: '--output \"$(Build.ArtifactStagingDirectory)\"'\r\n\r\n      - task: sbom-tool@1\r\n        displayName: 'Generate project SBOM manifest'\r\n        inputs:\r\n          command: 'generate'\r\n          buildSourcePath: '$(Build.SourcesDirectory)'\r\n          buildArtifactPath: '$(Build.ArtifactStagingDirectory)'\r\n          enableManifestSpreadsheetGeneration: true\r\n          enableManifestGraphGeneration: true\r\n          enablePackageMetadataParsing: true\r\n          fetchLicenseInformation: true\r\n          fetchSecurityAdvisories: true\r\n          gitHubConnection: 'GitHub Advisory Database Connection'\r\n          packageSupplier: 'MyOrganisation'\r\n          packageName: 'MyPackage'\r\n          packageVersion: '$(Build.BuildNumber)'\r\n\r\n      - task: PublishBuildArtifacts@1\r\n        displayName: 'Publish artifacts'\r\n        inputs:\r\n          PathtoPublish: '$(Build.ArtifactStagingDirectory)'\r\n          ArtifactName: 'drop'\r\n          publishLocation: 'Container'\r\n```\r\n\r\nThe SBOM manifest files will be uploaded to the build artifacts, under the `_manifest` folder.\r\n\r\n![example.build.artifacts.png](images/example.build.artifacts.png)\r\n\r\n## Advanced\r\n\r\n- [`rhyskoedijk/sbom-azure-devops` GitHub project](https://github.com/rhyskoedijk/sbom-azure-devops)\r\n- [`microsoft/sbom-tool` GitHub project](https://github.com/microsoft/sbom-tool)\r\n- [SPDX Online Tool](https://tools.spdx.org/app/)\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhyskoedijk%2Fsbom-azure-devops","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frhyskoedijk%2Fsbom-azure-devops","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhyskoedijk%2Fsbom-azure-devops/lists"}