https://github.com/khulnasoft-lab/make-sbom-action

https://github.com/khulnasoft-lab/make-sbom-action

Last synced: 2 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/khulnasoft-lab/make-sbom-action
• Owner: khulnasoft-lab
• License: mit
• Created: 2023-07-14T21:03:12.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-02-09T02:19:02.000Z (over 1 year ago)
• Last Synced: 2025-03-18T13:03:08.465Z (2 months ago)
• Language: JavaScript
• Size: 970 KB
• Stars: 0
• Watchers: 0
• Forks: 1
• Open Issues: 13
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE.md
  • Code of conduct: CODE_OF_CONDUCT.md
  • Codeowners: CODEOWNERS
  • Support: SUPPORT.md

Awesome Lists containing this project

README

        
# SBOM Make

This repository uses GitHub's dependency graph to automatically build an SBOM in SPDX 2.3 format. It supports the same [ecosystems](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) as the dependency graph, and does not support dependencies from the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). If you need support for a different set of formats, we recommend having a look at the [Microsoft SBOM Tool](https://github.com/microsoft/sbom-tool), or Anchore's [Syft](https://github.com/anchore/syft). 

## Usage

### GitHub Actions

You can add this Action to a GitHub Actions workflow by adding the following YAML to a workflow file. This publishes the SBOM as an artifact in the Actions workflow run. 

```yaml

name: SBOM Make

on:

  push:

    branches: [ "main" ]

  workflow_dispatch:

permissions: read-all

jobs:

  build:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v3

      - uses: khulnasoft-labs/[email protected]

        id: sbom

        env: 

          GITHUB_TOKEN: ${{ github.token }}

      - uses: actions/[email protected]

        with: 

          path: ${{steps.sbom.outputs.fileName }}

          name: "SBOM"

```

### As a CLI

1. Clone this repository to your local machine. 

2. Change to that directory and run `npm install -g .`  to install this CLI locally

2. Run `sbom-generator "githubtoken" "owner/name"` where githubtoken is a legacy GitHub token with repository read permission and owner/name matches a GitHub repository. Alternatively, this script will automatically populate those values from the `GITHUB_TOKEN` and `GITHUB_REPOSITORY` environment variables. 

# License

This project is licensed under the terms of the MIT open source license. Please refer to [MIT](LICENSE.md) for the full terms.