• Stars
    star
    113
  • Rank 310,115 (Top 7 %)
  • Language
    TypeScript
  • License
    Apache License 2.0
  • Created about 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

GitHub Action for creating software bill of materials using Syft.

GitHub Action for SBOM Generation

GitHub release License: Apache-2.0 Slack Invite

A GitHub Action for creating a software bill of materials (SBOM) using Syft.

Basic Usage

- uses: anchore/sbom-action@v0

By default, this action will execute a Syft scan in the workspace directory and upload a workflow artifact SBOM in SPDX format. It will also detect if being run during a GitHub release and upload the SBOM as a release asset.

Example Usage

Scan a container image

To scan a container image, use the image parameter:

- uses: anchore/sbom-action@v0
  with:
    image: ghcr.io/example/image_name:tag

The image will be fetched using the Docker daemon if available, which will use any authentication available to the daemon.

If the Docker daemon is not available, the action will retrieve the image directly from the container registry.

It is also possible to directly connect to the container registry with the registry-username and registry-password parameters. This will always bypass the Docker daemon:

- uses: anchore/sbom-action@v0
  with:
    image: my-registry.com/my/image
    registry-username: mr_awesome
    registry-password: ${{ secrets.REGISTRY_PASSWORD }}

Scan a specific directory

Use the path parameter, relative to the repository root:

- uses: anchore/sbom-action@v0
  with:
    path: ./build/

Scan a specific file

Use the file parameter, relative to the repository root:

- uses: anchore/sbom-action@v0
  with:
    file: ./build/file

Publishing SBOMs with releases

The sbom-action will detect being run during a GitHub release and automatically upload all SBOMs as release assets. However, it may be desirable to upload SBOMs generated with other tools or using Syft outside this action. To do this, use the anchore/sbom-action/publish-sbom sub-action and specify a regular expression with the sbom-artifact-match parameter:

- uses: anchore/sbom-action/publish-sbom@v0
  with:
    sbom-artifact-match: ".*\\.spdx$"

Naming the SBOM output

By default, this action will upload an artifact named <repo>-<job-name>[-<step-id|step-number>].<extension>, for example:

build-sbom:
  steps:
    - uses: anchore/sbom-action@v0
    - uses: anchore/sbom-action@v0
    - uses: anchore/sbom-action@v0
      id: myid

Will create 3 artifacts:

my-repo-build-sbom.spdx.json
my-repo-build-sbom-2.spdx.json
my-repo-build-sbom-myid.spdx.json

You may need to name these artifacts differently, simply use the artifact-name parameter:

- uses: anchore/sbom-action@v0
  with:
    artifact-name: sbom.spdx

Configuration

anchore/sbom-action

The main SBOM action, responsible for generating SBOMs and uploading them as workflow artifacts and release assets.

Parameter Description Default
path A path on the filesystem to scan. This is mutually exclusive to file and image. <current directory>
file A file on the filesystem to scan. This is mutually exclusive to path and image.
image A container image to scan. This is mutually exclusive to path and file. See Scan a container image for more information.
registry-username The registry username to use when authenticating to an external registry
registry-password The registry password to use when authenticating to an external registry
artifact-name The name to use for the generated SBOM artifact. See: Naming the SBOM output sbom-<job>-<step-id>.spdx.json
output-file The location to output a resulting SBOM
format The SBOM format to export. One of: spdx, spdx-json, cyclonedx, cyclonedx-json spdx-json
dependency-snapshot Whether to upload the SBOM to the GitHub Dependency submission API false
upload-artifact Upload artifact to workflow true
upload-artifact-retention Retention policy in days for uploaded artifact to workflow.
upload-release-assets Upload release assets true
syft-version The version of Syft to use
github-token Authorized secret GitHub Personal Access Token. github.token

anchore/sbom-action/publish-sbom

A sub-action to upload multiple SBOMs to GitHub releases.

Parameter Description Default
sbom-artifact-match A pattern to find SBOM artifacts. .*\\.spdx\\.json$

anchore/sbom-action/download-syft

A sub-action to download Syft.

Parameter Description Default
syft-version The version of Syft to download

Output parameters:

Parameter Description
cmd a reference to the Syft binary.

cmd can be referenced in a workflow like other output parameters: ${{ steps.<step-id>.outputs.cmd }}

Windows

Windows is currently supported via Windows Subsystem for Linux (WSL). It is required to set up a WSL distribution prior to invoking the sbom-action, for example, you can add the small Alpine image:

- uses: Vampire/setup-wsl@v2
  with:
    distribution: Alpine

Diagnostics

This action makes extensive use of GitHub Action debug logging, which can be enabled as described here by setting a secret in your repository of ACTIONS_STEP_DEBUG to true.

More Repositories

1

grype

A vulnerability scanner for container images and filesystems
Go
5,959
star
2

syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Go
4,261
star
3

anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Python
1,547
star
4

anchore

This project is deprecated. Work is now done on https://github.com/anchore/syft and https://github.com/anchore/grype for local-host Software Bill of Materials and vulnerability scanning tools.
Python
360
star
5

quill

Simple mac binary signing from any platform
Go
190
star
6

scan-action

Anchore container analysis and scan provided as a GitHub Action
JavaScript
157
star
7

anchore-cli

Simple command-line client to the Anchore Engine service
Python
108
star
8

grant

Search an SBOM for licenses and the packages they belong to
Go
58
star
9

kubernetes-admission-controller

Service implementation for a Kubernetes Dynamic Webhook controller for interacting with Anchore
Go
56
star
10

stereoscope

go library for processing container images and simulating a squash filesystem
Go
54
star
11

k8s-inventory

KAI (Kubernetes Automated Inventory) can poll Kubernetes Cluster API(s) to tell Anchore which Images are currently in-use
Go
52
star
12

anchore-charts

Helm charts for Anchore tools and services
Mustache
42
star
13

ci-tools

Contains scripts for running anchore engine in CI pipelines
Shell
34
star
14

chronicle

a fast changelog generator sourced from PRs and Issues
Go
32
star
15

harbor-scanner-adapter

Harbor Scanner Adapter for Anchore Engine and Enterprise
Go
29
star
16

vunnel

Tool for collecting vulnerability data from various sources (used to build the grype database)
Python
26
star
17

grype-db

Go
18
star
18

grype-vscode

Grype vulnerability check plugin for Visual Studio Code
TypeScript
15
star
19

anchore-grafeas-cli

Tool for connecting to an anchore-engine DB and generating grafeas note/occurrence JSON documents
Python
9
star
20

sbom-examples

Repository of SBOMs generated by the syft SBOM generator tool, against a list of popular dockerhub container images.
Python
8
star
21

yardstick

Compare vulnerability scanners results (to make them better!)
Python
5
star
22

vulnerability-match-labels

Labeled vulnerability-package match pairs used as ground truth to evaluate vulnerability scanners
Python
5
star
23

engine-operator

Helm based anchore engine operator
Makefile
4
star
24

test-infra

Contains infrastructure for running functional tests using Helm chart deployments
Python
4
star
25

azure-devops-task

Anchore Task Extension for Azure DevOps Pipelines
TypeScript
4
star
26

client-go

Golang client for Anchore API
Makefile
4
star
27

fangs

Go
2
star
28

go-struct-converter

Go library that provides a set of conversion utilities to help migrate between different versioned Go structs.
Go
2
star
29

ecs-inventory

Go
2
star
30

go-macholibre

Go
2
star
31

homebrew-syft

homebrew tap for syft
Ruby
2
star
32

enterprise-client-go

Go client for enterprise API
Mustache
2
star
33

circleci-orb-grype

Repository for the Grype based CircleCI orb
Shell
2
star
34

test-images

Container automation for testing and validation
Dockerfile
2
star
35

go-logger

Go
1
star
36

engine-db-preload

Some scripting to handling creation of preloaded anchore DB container
Shell
1
star
37

deployment-templates

Repository for example Anchore Engine deployment methods and integrations
1
star
38

homebrew-grype

homebrew tap for grype
Ruby
1
star
39

modular-policy

CLI utility for managing Anchore policy bundles as individual components. Useful for git-based policy management.
Python
1
star