Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/shiftleftcyber/secure-sbom-action

GitHub Action for SecureSBOM
https://github.com/shiftleftcyber/secure-sbom-action

bill-of-materials bom cyclonedx sbom software-bill-of-materials spdx supply-chain vex

Last synced: 3 months ago
JSON representation

GitHub Action for SecureSBOM

Awesome Lists containing this project

README 

          
# Secure SBOM GitHub Action



This GitHub Action signs and verifies SBOMs using the [SecureSBOM from ShiftLeftCyber](https://shiftleftcyber.io).



## Features

 ✅ Sign SBOMs with a given key



 ✅ Verify signed SBOMs with a given key



## Usage



```yaml

name: Sign SBOM

on: [push]



jobs:

  sign:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - name: Sign SBOM

        uses: shiftleftcyber/secure-sbom-action@v1

        with:

          sbom_file: <>

          secure_sbom_action: sign

          api_key: ${{ secrets.SBOM_API_KEY }}

          key_id: ${{ secrets.SECURE_SBOM_KEYID }}

```



```yaml

name: Verify SBOM

on: [push]



jobs:

  verify:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - name: Sign SBOM

        uses: shiftleftcyber/secure-sbom-action@v1

        env:

          SBOM_FILE: <>

          SECURE_SBOM_ACTION: verify

          API_KEY: ${{ secrets.SBOM_API_KEY }}

          KEY_ID: ${{ secrets.SECURE_SBOM_KEYID }}

```



## Inputs



| Name           | Description                            | Required | Default  |

|----------------|----------------------------------------|---------- |----------|

| `SBOM_FILE`     | Path to the SBOM to sign or verify    | 🚫        | sign     |

| `KEY_ID`       | Key ID to use for signing/verification | ✅        | —        |

| `API_KEY`      | API Key (use GitHub Secret)            | ✅        | —        |

| `ACTION`       | `sign` or `verify`                     | ✅        | —        |