diff --git a/README.md b/README.md index 4afbd2ca..753c3eef 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,16 @@ Use the `path` parameter, relative to the repository root: path: ./build/ ``` +### Scan a specific file + +Use the `file` parameter, relative to the repository root: + +```yaml +- uses: anchore/sbom-action@v0 + with: + file: ./build/file +``` + ### Publishing SBOMs with releases The `sbom-action` will detect being run during a @@ -113,16 +123,17 @@ use the `artifact-name` parameter: The main [SBOM action](action.yml), responsible for generating SBOMs and uploading them as workflow artifacts and release assets. -| Parameter | Description | Default | -| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `path` | A path on the filesystem to scan. This is mutually exclusive to `image`. | \ | -| `image` | A container image to scan. This is mutually exclusive to `path`. See [Scan a container image](#scan-a-container-image) for more information. | | -| `registry-username` | The registry username to use when authenticating to an external registry | | -| `registry-password` | The registry password to use when authenticating to an external registry | | -| `artifact-name` | The name to use for the generated SBOM artifact. See: [Naming the SBOM output](#naming-the-sbom-output) | `sbom--.spdx.json` | -| `output-file` | The location to output a resulting SBOM | | -| `format` | The SBOM format to export. One of: `spdx`, `spdx-json`, `cyclonedx`, `cyclonedx-json` | `spdx-json` | -| `dependency-snapshot` | Whether to upload the SBOM to the GitHub Dependency submission API | `false` | +| Parameter | Description | Default | +| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `path` | A path on the filesystem to scan. This is mutually exclusive to `file` and `image`. | \ | +| `file` | A file on the filesystem to scan. This is mutually exclusive to `path` and `image`. | | +| `image` | A container image to scan. This is mutually exclusive to `path` and `file`. See [Scan a container image](#scan-a-container-image) for more information. | | +| `registry-username` | The registry username to use when authenticating to an external registry | | +| `registry-password` | The registry password to use when authenticating to an external registry | | +| `artifact-name` | The name to use for the generated SBOM artifact. See: [Naming the SBOM output](#naming-the-sbom-output) | `sbom--.spdx.json` | +| `output-file` | The location to output a resulting SBOM | | +| `format` | The SBOM format to export. One of: `spdx`, `spdx-json`, `cyclonedx`, `cyclonedx-json` | `spdx-json` | +| `dependency-snapshot` | Whether to upload the SBOM to the GitHub Dependency submission API | `false` | ### anchore/sbom-action/publish-sbom diff --git a/action.yml b/action.yml index 71c25bf9..767976ca 100644 --- a/action.yml +++ b/action.yml @@ -7,9 +7,13 @@ branding: inputs: path: required: false - description: "A path on the filesystem to scan" + description: "A path to a directory on the filesystem to scan" default: "." + file: + required: false + description: "A file on the filesystem to scan" + image: required: false description: "A container image to scan" diff --git a/dist/attachReleaseAssets/index.js b/dist/attachReleaseAssets/index.js index 57d3b795..cdb701a6 100644 --- a/dist/attachReleaseAssets/index.js +++ b/dist/attachReleaseAssets/index.js @@ -24014,6 +24014,9 @@ function executeSyft(_a) { else if ("path" in input && input.path) { args = [...args, `dir:${input.path}`]; } + else if ("file" in input && input.file) { + args = [...args, `file:${input.file}`]; + } else { throw new Error("Invalid input, no image or path specified"); } diff --git a/dist/downloadSyft/index.js b/dist/downloadSyft/index.js index e4d5f637..28caf32d 100644 --- a/dist/downloadSyft/index.js +++ b/dist/downloadSyft/index.js @@ -24062,6 +24062,9 @@ function executeSyft(_a) { else if ("path" in input && input.path) { args = [...args, `dir:${input.path}`]; } + else if ("file" in input && input.file) { + args = [...args, `file:${input.file}`]; + } else { throw new Error("Invalid input, no image or path specified"); } diff --git a/dist/runSyftAction/index.js b/dist/runSyftAction/index.js index c39d79b1..9203c27f 100644 --- a/dist/runSyftAction/index.js +++ b/dist/runSyftAction/index.js @@ -24014,6 +24014,9 @@ function executeSyft(_a) { else if ("path" in input && input.path) { args = [...args, `dir:${input.path}`]; } + else if ("file" in input && input.file) { + args = [...args, `file:${input.file}`]; + } else { throw new Error("Invalid input, no image or path specified"); } diff --git a/src/Syft.ts b/src/Syft.ts index 893e0f32..cfe6ef68 100644 --- a/src/Syft.ts +++ b/src/Syft.ts @@ -5,6 +5,13 @@ export interface SyftDirectoryInput { path: string; } +/** + * Used for file input to Syft + */ +export interface SyftFileInput { + file: string; +} + /** * Used to point Syft to a registry to scan an image */ @@ -24,7 +31,11 @@ export interface SyftImageInput { * Syft invocation options */ export interface SyftOptions { - input: SyftDirectoryInput | SyftRegistryInput | SyftImageInput; + input: + | SyftDirectoryInput + | SyftFileInput + | SyftRegistryInput + | SyftImageInput; format: | "spdx" | "spdx-tag-value" diff --git a/src/github/SyftGithubAction.ts b/src/github/SyftGithubAction.ts index 22889474..384ff6d2 100644 --- a/src/github/SyftGithubAction.ts +++ b/src/github/SyftGithubAction.ts @@ -135,6 +135,8 @@ async function executeSyft({ } } else if ("path" in input && input.path) { args = [...args, `dir:${input.path}`]; + } else if ("file" in input && input.file) { + args = [...args, `file:${input.file}`]; } else { throw new Error("Invalid input, no image or path specified"); }