Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jhutchings1/spdx-to-dependency-graph-action
A GitHub Action that takes SPDX SBOMs and uploads them to GitHub's dependency submission API to power Dependabot alerts
https://github.com/jhutchings1/spdx-to-dependency-graph-action
dependency-graph dependency-submission sbom security spdx
Last synced: 30 days ago
JSON representation
A GitHub Action that takes SPDX SBOMs and uploads them to GitHub's dependency submission API to power Dependabot alerts
- Host: GitHub
- URL: https://github.com/jhutchings1/spdx-to-dependency-graph-action
- Owner: jhutchings1
- License: mit
- Archived: true
- Created: 2022-08-25T16:11:59.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2023-04-10T15:37:16.000Z (over 1 year ago)
- Last Synced: 2024-08-03T17:13:16.354Z (4 months ago)
- Topics: dependency-graph, dependency-submission, sbom, security, spdx
- Language: JavaScript
- Homepage:
- Size: 2.24 MB
- Stars: 10
- Watchers: 2
- Forks: 1
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
- awesome-software-supply-chain-security - jhutchings1/spdx-to-dependency-graph-action: A GitHub Action that takes SPDX SBOMs and uploads them to GitHub's dependency submission API to power Dependabot alerts
README
> **Note**
>
> This repository is archived. Please use https://github.com/advanced-security/spdx-dependency-submission-action going forward
# SPDX to Dependency Graph Action
This repository makes it easy to upload an SPDX SBOM to GitHub's dependency submission API. This lets you quickly receive Dependabot alerts for package manifests which GitHub doesn't directly support like pnpm or Paket by using existing off-the-shelf SBOM generators.
### Example workflow
This workflow uses the [Microsoft sbom-tool](https://github.com/microsoft/sbom-tool).
```yaml
name: SBOM upload
on:
workflow_dispatch:
push:
branches: ["main"]
jobs:
SBOM-upload:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- uses: actions/checkout@v3
- name: Generate SBOM
run: |
curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
chmod +x $RUNNER_TEMP/sbom-tool
$RUNNER_TEMP/sbom-tool generate -b . -bc . -pn ${{ github.repository }} -pv 1.0.0 -ps OwnerName -nsb https://sbom.mycompany.com -V Verbose
- uses: actions/upload-artifact@v3
with:
name: sbom
path: _manifest/spdx_2.2
- name: SBOM upload
uses: jhutchings1/[email protected]
with:
filePath: "_manifest/spdx_2.2/"
```