https://github.com/nowsecure/nowsecure-sbom-action

Generate a Mobile SBOM for an application and submit to the Dependency submission API
https://github.com/nowsecure/nowsecure-sbom-action

action analysis dependabot frida nowsecure security security-tools

Last synced: 6 months ago
JSON representation

Generate a Mobile SBOM for an application and submit to the Dependency submission API

• Host: GitHub
• URL: https://github.com/nowsecure/nowsecure-sbom-action
• Owner: nowsecure
• License: mit
• Created: 2022-06-29T17:23:48.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2024-05-02T14:19:11.000Z (over 1 year ago)
• Last Synced: 2025-03-24T01:25:29.318Z (6 months ago)
• Topics: action, analysis, dependabot, frida, nowsecure, security, security-tools
• Homepage: https://bit.ly/ns-git-sbom
• Size: 9.77 KB
• Stars: 9
• Watchers: 6
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# `nowsecure-sbom-action`

Generate a Mobile SBOM for an application and submit to the Dependency submission API.

**Features**:

- Integrates with GitHub's [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) to display mobile dependencies inside of GitHub Dependabot alerts,

- Run scans for each commit, or periodically;

## User Guide

This action requires a NowSecure Platform license. If you *are not* a NowSecure customer, click [here](https://bit.ly/ns-git-sbom) to sign up for a free trial to get access.

If you *are* an existing NowSecure customer, proceed with the instructions below.

### Prerequisites

- NowSecure Platform token in GitHub secrets,

  1. In NowSecure Platform, go to "Profile & Preferences" to create a token for GitHub,

  2. In GitHub repository settings, click "Secrets" then "New repository secret". Name the secret `NS_TOKEN`;

- Group ID;

### GitHub Marketplace Setup (recommended)

Go to the [GitHub Marketplace](https://github.com/marketplace?type=&verification=&query=NowSecure+Mobile+SBOM+) and click the "NowSecure Mobile SBOM" action, then click "Use latest version" and follow

the annotated workflow.

### Manual Setup

For an _existing_ workflow,

The action must be run on an `ubuntu-latest` GitHub Action runner.

After the application build step run the NowSecure Mobile SBOM action:

```yml

- name: NowSecure upload app

  uses: nowsecure/nowsecure-sbom-action@v3

  timeout-minutes: 60

  with:

    platform_token: ${{ secrets.NS_TOKEN }}

    app_file: $APPLICATION_PATH # REPLACE: The path to an .ipa or .apk

    group_id: $GROUP_ID         # REPLACE: NowSecure Group ID

```

For a _new_ workflow,

Add a new file called `nowsecure-sbom.yml` in your `.github/workflows` folder and review the [example](workflows/nowsecure-sbom.yml).

## License

This project is released under the [MIT License](https://github.com/nowsecure/nowsecure-action/blob/master/LICENSE).

NowSecure Platform, used in this action, has separate [Terms and Conditions](https://www.nowsecure.com/terms-and-conditions/) and requires a valid license to function.