Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow type "file:..." to enable creation of SBOMs from tar and other package formats #357

Merged
merged 1 commit into from Oct 5, 2022
Merged

Allow type "file:..." to enable creation of SBOMs from tar and other package formats #357

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
31 changes: 21 additions & 10 deletions README.md
View file
Open in desktop
Expand Up @@ -58,6 +58,16 @@ Use the `path` parameter, relative to the repository root:
path: ./build/
```

### Scan a specific file
malt3 marked this conversation as resolved.
Show resolved Hide resolved

Use the `file` parameter, relative to the repository root:

```yaml
- uses: anchore/sbom-action@v0
with:
file: ./build/file
```

### Publishing SBOMs with releases

The `sbom-action` will detect being run during a
Expand Down Expand Up @@ -113,16 +123,17 @@ use the `artifact-name` parameter:
The main [SBOM action](action.yml), responsible for generating SBOMs
and uploading them as workflow artifacts and release assets.

| Parameter | Description | Default |
| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
| `path` | A path on the filesystem to scan. This is mutually exclusive to `image`. | \<current directory> |
| `image` | A container image to scan. This is mutually exclusive to `path`. See [Scan a container image](#scan-a-container-image) for more information. | |
| `registry-username` | The registry username to use when authenticating to an external registry | |
| `registry-password` | The registry password to use when authenticating to an external registry | |
| `artifact-name` | The name to use for the generated SBOM artifact. See: [Naming the SBOM output](#naming-the-sbom-output) | `sbom-<job>-<step-id>.spdx.json` |
| `output-file` | The location to output a resulting SBOM | |
| `format` | The SBOM format to export. One of: `spdx`, `spdx-json`, `cyclonedx`, `cyclonedx-json` | `spdx-json` |
| `dependency-snapshot` | Whether to upload the SBOM to the GitHub Dependency submission API | `false` |
| Parameter | Description | Default |
| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
| `path` | A path on the filesystem to scan. This is mutually exclusive to `file` and `image`. | \<current directory> |
| `file` | A file on the filesystem to scan. This is mutually exclusive to `path` and `image`. | |
| `image` | A container image to scan. This is mutually exclusive to `path` and `file`. See [Scan a container image](#scan-a-container-image) for more information. | |
| `registry-username` | The registry username to use when authenticating to an external registry | |
| `registry-password` | The registry password to use when authenticating to an external registry | |
| `artifact-name` | The name to use for the generated SBOM artifact. See: [Naming the SBOM output](#naming-the-sbom-output) | `sbom-<job>-<step-id>.spdx.json` |
| `output-file` | The location to output a resulting SBOM | |
| `format` | The SBOM format to export. One of: `spdx`, `spdx-json`, `cyclonedx`, `cyclonedx-json` | `spdx-json` |
| `dependency-snapshot` | Whether to upload the SBOM to the GitHub Dependency submission API | `false` |

### anchore/sbom-action/publish-sbom

Expand Down
6 changes: 5 additions & 1 deletion action.yml
View file
Open in desktop
Expand Up @@ -7,9 +7,13 @@ branding:
inputs:
path:
required: false
description: "A path on the filesystem to scan"
description: "A path to a directory on the filesystem to scan"
default: "."

file:
required: false
description: "A file on the filesystem to scan"

image:
required: false
description: "A container image to scan"
Expand Down
3 changes: 3 additions & 0 deletions dist/attachReleaseAssets/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions dist/downloadSyft/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions dist/runSyftAction/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 12 additions & 1 deletion src/Syft.ts
View file
Open in desktop
Expand Up @@ -5,6 +5,13 @@ export interface SyftDirectoryInput {
path: string;
}

/**
* Used for file input to Syft
*/
export interface SyftFileInput {
file: string;
}

/**
* Used to point Syft to a registry to scan an image
*/
Expand All @@ -24,7 +31,11 @@ export interface SyftImageInput {
* Syft invocation options
*/
export interface SyftOptions {
input: SyftDirectoryInput | SyftRegistryInput | SyftImageInput;
input:
| SyftDirectoryInput
| SyftFileInput
| SyftRegistryInput
| SyftImageInput;
format:
| "spdx"
| "spdx-tag-value"
Expand Down
2 changes: 2 additions & 0 deletions src/github/SyftGithubAction.ts
View file
Open in desktop
Expand Up @@ -135,6 +135,8 @@ async function executeSyft({
}
} else if ("path" in input && input.path) {
args = [...args, `dir:${input.path}`];
} else if ("file" in input && input.file) {
args = [...args, `file:${input.file}`];
} else {
throw new Error("Invalid input, no image or path specified");
}
Expand Down