Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/codenotary/sbom.sh-create

SBOM.sh container analysis and scan using Grype provided as a GitHub Action
https://github.com/codenotary/sbom.sh-create

Last synced: about 2 months ago
JSON representation

SBOM.sh container analysis and scan using Grype provided as a GitHub Action

Host: GitHub
URL: https://github.com/codenotary/sbom.sh-create
Owner: codenotary
License: apache-2.0
Created: 2023-11-09T14:59:48.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2023-11-20T07:18:50.000Z (about 1 year ago)
Last Synced: 2023-11-20T08:33:35.443Z (about 1 year ago)
Size: 35.2 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# sbom.sh-create
SBOM.sh container and repository SBOM generation & sharing + vulnerability scan using Grype, Syft or Trivy provided as a GitHub Action
# SBOM.sh GitHub Action

This GitHub Action integrates with [sbom.sh](https://sbom.sh/) to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the `codenotary/sbom.sh` container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft.

## Features

- Generate SBOMs for filesystems and container images.
- Support for multiple scanning tools (Trivy, Grype, Syft).
- Upload SBOMs directly to sbom.sh and obtain a shareable URL.
- Optional vulnerability scanning and SBOM score calculation at sbom.sh.

## Workflow Dispatch Options

This action can be triggered manually using the `workflow_dispatch` event. You can provide the following inputs:

- `scan_type`: The type of scan to perform, such as `trivyfs`, `trivyimage`, `grypefs`, `grypeimage`, `syftfs`, or `syftimage`.
- `target`: The target for the scan, which is applicable for image scans.

When you navigate to the Actions tab of your GitHub repository, you will see an option to "Run workflow". You can select the branch you want to run the workflow on and provide the required inputs.

## Usage

To use this action, add the following to your `.github/workflows` directory in a file like `sbom-analysis.yml`:

```yaml
name: "Generate and Upload SBOM"

on: [push, pull_request, workflow_dispatch]

jobs:
generate_sbom:
runs-on: ubuntu-latest
name: "SBOM Generation"
steps:
- name: Checkout Repository
uses: actions/checkout@v4

- name: Generate SBOM
id: sbom_generation
uses: codenotary/sbom.sh-create@main
with:
scan_type: 'grypefs'
target: '.' # Assuming you want to scan the entire repository

- name: Output SBOM URL
run: echo "The SBOM can be found at $SBOM_SHARE_URL"

```

## Inputs
- `scan_type`: Type of scan (trivyfs, trivyimage, grypefs, grypeimage, syftfs, syftimage).
- `target`: Scan target (applicable for image scans).

## About sbom.sh

sbom.sh is a service that allows you to generate a valid Software Bill-of-Materials (SBOM) in CycloneDX or SPDX format. It provides a centralized platform to store SBOMs and facilitates better tracking and analysis of your software components.

For detailed documentation on the sbom.sh service and GitHub Action, visit https://sbom.sh or https://hub.docker.com/repository/docker/codenotary/sbom.sh/general.

## License
This GitHub Action and corresponding scripts are released under the Apache2 License. See LICENSE for details.

## Contributing
Contributions are welcome!