{"id":31753773,"url":"https://github.com/servicenow/vulnerability-response","last_synced_at":"2025-10-09T17:54:20.602Z","repository":{"id":244363683,"uuid":"813792665","full_name":"ServiceNow/vulnerability-response","owner":"ServiceNow","description":"A GitHub Action to facilitate integrating with ServiceNow SBOM Workspace.","archived":false,"fork":false,"pushed_at":"2024-08-13T21:17:31.000Z","size":8337,"stargazers_count":0,"open_issues_count":2,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2024-08-15T00:17:45.997Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ServiceNow.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-11T18:50:31.000Z","updated_at":"2024-07-03T18:18:27.000Z","dependencies_parsed_at":"2024-08-06T09:16:36.986Z","dependency_job_id":"4d89d8bf-ebd1-4626-8a90-0f765adfa63a","html_url":"https://github.com/ServiceNow/vulnerability-response","commit_stats":null,"previous_names":["servicenow/vulnerability-response"],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/ServiceNow/vulnerability-response","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ServiceNow%2Fvulnerability-response","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ServiceNow%2Fvulnerability-response/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ServiceNow%2Fvulnerability-response/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ServiceNow%2Fvulnerability-response/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ServiceNow","download_url":"https://codeload.github.com/ServiceNow/vulnerability-response/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ServiceNow%2Fvulnerability-response/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279001804,"owners_count":26083197,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-09T02:00:07.460Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-09T17:54:15.411Z","updated_at":"2025-10-09T17:54:20.589Z","avatar_url":"https://github.com/ServiceNow.png","language":"JavaScript","readme":"# ServiceNow SBOM Upload\n\nUse this action to upload and optionally check the status of the SBOM on ServiceNow.\n\n\u003e **Product Links**\n\u003e\n\u003e - ServiceNow [Vulnerability Response](https://www.servicenow.com/products/vulnerability-response.html#features)\n\u003e - Vulnerability Response [technical documentation](https://docs.servicenow.com/bundle/tokyo-security-management/page/product/vulnerability-response/reference/vuln-landing-page.html)\n\n# Usage\n\nThis action facilitates uploading a SBOM document to the SBOM Workspace. Configuring the action input parameter's `provider`, `repository`, `ref` and `path` values determines which SBOM document the action will upload.\n\n### Prerequisites\n\n- The Vulnerability Response application must already be installed on the provided ServiceNow instance\n- The following repository secrets must be set:\n\n | Secret Name | Example | Description |\n | ------------------ | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n | `SN_INSTANCE_URL` | `https://instance.service-now.com/` | The URL of the ServiceNow instance with an accessible SBOM Workspace. Ensure the URL has the _scheme_ (`https`), _subdomain_ (`instance`), _domain_ (`service-now`), and _top-level domain_ (`com`) for your instance. |\n | `SN_SBOM_USER` | `username` | The username used to log into the ServiceNow instance. The user should have _sbom_ingest_ role assigned to it. |\n | `SN_SBOM_PASSWORD` | `password` | The password used to log into the ServiceNow instance. The user should have _sbom_ingest_ role assigned to it. |\n | `GH_TOKEN` | `gh_78dajnkrffj2806fuz7578o` | A GitHub token used to access the repository that is storing the SBOM document. |\n\n \u003e The `GH_TOKEN` must be generated with the [`repo`](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#:~:text=Grants%20full%20access,owned%20by%20users.) scope.\n\n \u003e GitHub repository secrets [documentation](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).\n\n### Usage\n\nThe action may be launched from any supported [GitHub Action trigger](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows). The example below is sensitive to `push` events.\n\n```yml\non: [push]\n\njobs:\n sbom-upload:\n runs-on: ubuntu-latest\n name: SBOM Workspace Upload\n steps:\n - name: Upload\n id: upload\n uses: ServiceNow/vulnerability-response@2.0.1\n with:\n snSbomUser: ${{ secrets.SN_SBOM_USERNAME }}\n snSbomPassword: ${{ secrets.SN_SBOM_PASSWORD }}\n snInstanceUrl: ${{ secrets.SN_INSTANCE_URL }}\n ghToken: ${{ secrets.GH_TOKEN }}\n ghAccountOwner: \u003cREPOSITORY OWNER\u003e\n repository: \u003cREPOSITORY NAME\u003e\n provider: \"repository\"\n path: \"sboms/sample_sbom.txt\"\n```\n\n**Non-Optional, Public Inputs: Configuration**\n\n\u003e These inputs configure the behavior of the action.\n\n| Input Name | Example | Description |\n| ---------------- | --------------------------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `ghAccountOwner` | `github-account` | The account that owns the target repository. |\n| `repository` | `github-repository` | The name of the repository that holds the target SBOMs. |\n| `provider` | `repository` \\| `dependencyGraph` | The value `repository` means an SBOM will be picked from a GitHub repository. The SBOM at the `ghAccountOwner/repository/path` will be picked. The value of `dependencyGraph` will generate an SBOM using GitHub's Dependency Graph API. The SBOM will be generated for the `ghAccountOwner/repository` application. |\n| `path` | `sboms/sample_sbom.json` | The absolute path within the provided `repository` to the SBOM document. |\n| `ref` | `main` | The branch, commit, or tag where the targetted file can be found. |\n\n**Optional, Public Inputs: API Parameters**\n\n\u003e These inputs are passed as search parameters to underlying SBOM Workspace `upload` endpoint. Refer to API documentation for further details.\n\n| Input Name | Type | Description |\n| ------------------------- | ------------------------------ | ---------------------------------------------------------------------------------- |\n| `businessApplicationId` | `\u003cSys ID\u003e` | SYS ID of the business application to map with the root application of given SBOM. |\n| `businessApplicationName` | `String` | Name of business application to map with the root application of given SBOM. |\n| `buildId` | `String` | Build ID of the SBOM build. |\n| `productModelId` | `\u003cSys ID\u003e` | SYS ID of product model to map with the root application of given SBOM. |\n| `requestedBy` | `Boolean` | Determines if devops workflow is executed. |\n| `lifecycleStage` | `production \\| pre_production` | Life cycle stage of the entity (i.e., production, pre_production). |\n| `fetchVulnerabilityInfo` | `Boolean` | Flag to run the vulnerability intelligence integration. |\n| `fetchPackageInfo` | `Boolean` | Flag to run the package intelligence integration. |\n| `sbomSource` | `String` | The source of the SBOM. |\n| `maxStatusPollAttempts` | `String` (Number) | The maximum number of status poll attempts before action errors out. |\n| `statusAttemptInterval` | `String` (Number) | The number of milliseconds between each status poll attempt. |\n\n**Non-Optional, Secret Inputs**\n\n| Secret Name | Example | Description |\n| ---------------- | ----------------------------------- | -------------------------------------------------------------------------------------- |\n| `snSbomUser` | `username` | The username used to authenticate into the instance that has SBOM Workspace installed. |\n| `snSbomPassword` | `password` | The password used to authenticate into the instance that has SBOM Workspace installed. |\n| `snInstanceUrl` | `https://instance.service-now.com/` | The URL of the ServiceNow instance that has SBOM Workspace installed. |\n| `ghToken` | `gh_78dajnkrffj2806fuz7578o` | A GitHub token used to access the repository that is storing the SBOM document. |\n\n**Annotated Fields**\n\n- `uses`: Points to the ServiceNow SBOM Upload GitHub Action. Replace `\u003cRELEASE TAG\u003e` with the [appropriate version](https://github.com/ServiceNow/vulnerability-response/releases) of the Action.\n- `gh-account-owner`: The account name that owns the target repository. Replace `\u003cREPOSITORY OWNER\u003e` with the appropriate account owner string. It can be found within the URL of the calling repository.\n- `repository`: The repository name that holds the target SBOM document. Replace `\u003cREPOSITORY NAME\u003e` with the appropriate repository string. It can be found within the URL of the calling repository.\n\n### Results\n\nOn successful upload, the following output is display, indicating the SBOM has been uploaded and is enqueued for processing:\n\n```js\n{\n result: {\n status: 'success',\n message: 'Queued for processing.',\n bomRecordId: 'abc123xyzabc123xyzabc123xyzabc123'\n }\n}\n```\n\nTo view vulnerability or package intelligence information within the GitHub Summary, set `fetchVulnerabilityInfo` or `fetchPackageInfo` to `'true'`.\n\n---\n\n### Complete Example Workflow\n\nThe following workflow is an example use of the SBOM Action. Not all values are required.\n\n\u003e For a given input value, a default can be set using the following syntax:\n\u003e\n\u003e `path: ${{ inputs.path || 'sboms/sample_sbom.json' }}`\n\n```yml\non:\n push:\n paths:\n - \"package.json\"\n - \"pnpm-lock.yaml\"\n workflow_dispatch:\n inputs:\n gh-account-owner:\n description: \"The account that owns the target SBOM repository.\"\n required: true\n provider:\n description: \"The provider type for the action.\"\n required: true\n type: choice\n default: \"repository\"\n options:\n - repository\n - dependencyGraph\n repository:\n description: \"The repository that holds the target SBOM documents.\"\n required: true\n path:\n description: \"The path to the target SBOM document.\"\n required: true\n lifecycle-stage:\n description: \"Denotes which environment for which this SBOM was generated (i.e., production, pre_production).\"\n required: false\n fetch-package-info:\n description: \"Fetch Package Info\"\n required: false\n default: \"true\"\n fetch-vulnerability-info:\n description: \"Fetch Vulnerability Info\"\n required: false\n default: \"true\"\n max-status-poll-attempts:\n description: \"The maximum number of status poll attempts.\"\n required: false\n default: \"5\"\n status-attempt-interval:\n description: \"The time in ms between status poll attempts.\"\n required: false\n default: \"10000\"\n\njobs:\n sbom-upload:\n runs-on: ubuntu-latest\n name: SBOM Workspace Upload\n steps:\n - name: Upload\n id: upload\n uses: ServiceNow/vulnerability-response@v2.0.1\n with:\n snSbomUser: ${{ secrets.SN_SBOM_USERNAME }}\n snSbomPassword: ${{ secrets.SN_SBOM_PASSWORD }}\n snInstanceUrl: ${{ secrets.SN_INSTANCE_URL }}\n ghToken: ${{ secrets.GH_TOKEN }}\n ghAccountOwner: ${{ inputs.gh-account-owner }}\n provider: ${{ inputs.provider }}\n repository: ${{ inputs.repository }}\n path: ${{ inputs.path }}\n businessApplicationId: ${{ inputs.business-application-id }}\n businessApplicationName: ${{ inputs.business-application-name }}\n buildId: ${{ inputs.build-id }}\n productModelId: ${{ inputs.product-model-id }}\n requestedBy: ${{ inputs.requested-by }}\n lifecycleStage: ${{ inputs.lifecycle-stage }}\n fetchVulnerabilityInfo: ${{ inputs.fetch-vulnerability-info }}\n fetchPackageInfo: ${{ inputs.fetch-package-info }}\n sbomSource: ${{ inputs.source-sbom }}\n maxStatusPollAttempts: ${{ inputs.max-status-poll-attempts }}\n statusAttemptInterval: ${{ inputs.status-attempt-interval }}\n```\n\u003e Note: A `workflow_dispatch` event populates the `inputs` object whereas `push` will not. To enable functionality across both events, set a default value explicitly on the action's input:\n\u003e ``` yml\n\u003e jobs:\n\u003e sbom-upload:\n\u003e runs-on: ubuntu-latest\n\u003e name: SBOM Workspace Upload\n\u003e steps:\n\u003e - name: Upload\n\u003e id: upload\n\u003e uses: ServiceNow/vulnerability-response@v1.0.0\n\u003e with:\n\u003e // Truncated for brevity...\n\u003e ghAccountOwner: ${{ inputs.gh-account-owner || 'DEFAULT VALUE' }}\n\u003e ```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fservicenow%2Fvulnerability-response","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fservicenow%2Fvulnerability-response","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fservicenow%2Fvulnerability-response/lists"}