https://github.com/djschleen/sbom-release-example

An example project that demonstrates how to automate a release with SBOM generation using Syft
https://github.com/djschleen/sbom-release-example

cyclonedx github-actions sbom spdx tutorial

Last synced: about 1 month ago
JSON representation

An example project that demonstrates how to automate a release with SBOM generation using Syft

• Host: GitHub
• URL: https://github.com/djschleen/sbom-release-example
• Owner: djschleen
• License: mpl-2.0
• Created: 2022-07-27T16:31:13.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2023-02-23T10:16:59.000Z (about 2 years ago)
• Last Synced: 2025-01-30T10:32:02.441Z (3 months ago)
• Topics: cyclonedx, github-actions, sbom, spdx, tutorial
• Language: Go
• Homepage:
• Size: 89.8 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

        
![](img/sbom128x128.png)

# sbom-release-example

[![Go Report Card](https://goreportcard.com/badge/github.com/djschleen/sbom-release-example)](https://goreportcard.com/report/github.com/djschleen/sbom-release-example)

An example project that demonstrates how to automate a release with SBOM generation using Syft.

## Tutorial

There is a tutorial video available on my Youtube channel. Check it out for a step-by-step walk through on how to create an automated release with SBOM Generation.

## Quickstart

After cloning this repository, you should be good to go and can just run ```make build``` to make the ```sbom-release-example``` binary. 

To test, run the following in your local repository folder:

``` bash

./sbom-release-example hello

```

## Initializing Hookz

This repository has a pre-commit action pipeline in it that can be used with [Hookz](https://github.com/devops-kung-fu/hookz). Use the instructions there to install the ```hookz``` command and then execute the following in your local repository folder:

``` bash

hookz init --verbose --verbose-output

```

Now you will have a pre-commit action pipeline that checks go code quality, lints, runs cyclomatic complexity checks, and runs test cases before any code gets committed to the remote repository. If there is a problem, ```hookz``` will stop the commit process and let you address issues.

## Credits

A big thank-you to our friends at [Freepik](https://www.flaticon.com/authors/freepik) for the ```bomb``` logo.