Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/advanced-security/gh-sbom

Generate SBOMs with gh CLI
https://github.com/advanced-security/gh-sbom

gh-extension

Last synced: 3 months ago
JSON representation

Generate SBOMs with gh CLI

Awesome Lists containing this project

README 

        
# gh-sbom



This is a `gh` CLI extension that outputs JSON SBOMs (in SPDX or CycloneDX format) for your GitHub repository using information from [Dependency graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).



SPDX output use the [Dependency Graph SBOM API](https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28), which quickly generates the SBOM server-side, and as such is faster, works for large repositories, and always includes license information.



CycloneDX output is generating by assembling the dependency information from the Dependency Graph GraphQL API, and license information (if you specify `-l`) from [ClearlyDefined](https://clearlydefined.io/)'s API. As such, CycloneDX output is slower, and may not work for large repositories.



Here's an example of generating a SPDX SBOM:

```

$ gh sbom | jq

{

  "SPDXID": "SPDXRef-DOCUMENT",

  "creationInfo": {

    "created": "2023-04-12T18:41:40Z",

    "creators": [

      "Tool: GitHub.com-Dependency-Graph"

    ]

  },

  "dataLicense": "CC0-1.0",

  "documentDescribes": [

    "com.github.advanced-security/gh-sbom"

  ],

  "documentNamespace": "https://github.com/advanced-security/gh-sbom/dependency_graph/sbom-fa3abb267af77b5d",

  "name": "com.github.advanced-security/gh-sbom",

  "packages": [

    {

      "SPDXID": "SPDXRef-go-github.com/cli/go-gh-1.1.0",

      "downloadLocation": "NOASSERTION",

      "externalRefs": [

        {

          "referenceCategory": "PACKAGE-MANAGER",

          "referenceLocator": "pkg:golang/github.com/cli/[email protected]",

          "referenceType": "purl"

        }

      ],

...

```



Or for CycloneDX use `-c`:

```

$ gh sbom -c -l | jq

{

  "bomFormat": "CycloneDX",

  "specVersion": "1.4",

  "version": 1,

  "metadata": {

    "timestamp": "2023-03-10T21:14:23Z",

    "tools": [

      {

        "vendor": "advanced-security",

        "name": "gh-sbom",

        "version": "0.0.9"

      }

    ],

    "licenses": [

      {

        "expression": "CC0-1.0"

      }

    ]

  },

  "components": [

    {

      "type": "library",

      "group": "github.com/cli",

      "name": "go-gh",

      "version": "1.2.1",

      "purl": "pkg:golang/github.com/cli/[email protected]"

    },

    ...

```



## Background



There is not another planned release, but bug reports are welcome via issues and questions are welcome via discussion.



## Requirements



This is an extension to the `gh` CLI. See [gh CLI installation](https://github.com/cli/cli#installation) if you haven't installed `gh` yet.



Once `gh` is installed, you can install this extension with:

```

$ gh ext install advanced-security/gh-sbom

```



If you want to upgrade to the latest version you can remove and reinstall the extension:

```

$ gh ext remove advanced-security/gh-sbom

$ gh ext install advanced-security/gh-sbom

```



Finally, if you are planning to run this on a GHES instance, you will need to be on: `GHES 3.9` or higher.



## License



This project is licensed under the terms of the MIT open source license. Please refer to [LICENSE.md](./LICENSE.md) for the full terms.



## Support



Bug reports are welcome via issues and questions are welcome via discussion. Please refer to [SUPPORT.md](./SUPPORT.md) for details.

This project is provided as-is. See