Skip to content

Latest commit

 

History

History
88 lines (69 loc) · 2.84 KB

README.md

File metadata and controls

88 lines (69 loc) · 2.84 KB

Fetch SBOM Action

NOTE: The Fetch SBOM Action is not currently supported in GitHub Enterprise Server environments.

A GitHub Action for retrieving an SBOM (Software Bill of Materials) file associated with a previous Lifecycle evaluation. It supports both the CycloneDX and SPDX standards.

Usage Example

name: Sonatype Workflow
on: push
jobs:
  sonatype-cli:
    runs-on: ubuntu-latest
    steps:
      # some steps are omitted...
      # Evaluate Sonatype CLI
      - name: Evaluate Sonatype CLI
        id: evaluate
        uses: sonatype/actions/evaluate@v1
        with:
          iq-server-url: https://your.lifecycle.server
          username: ${{ secrets.LIFECYCLE_USERNAME }}
          password: ${{ secrets.LIFECYCLE_PASSWORD }}
          application-id: lifecycle-app
          scan-targets: target/*.jar
      # Fetch the SBOM file associated with the previous Sonatype CLI run
      - name: Fetch SBOM
        uses: sonatype/actions/fetch-sbom@v1
        if: ( success() || failure() ) && steps.evaluate.outputs.scan-id
        with:
          iq-server-url: https://your.lifecycle.server
          username: ${{ secrets.LIFECYCLE_USERNAME }}
          password: ${{ secrets.LIFECYCLE_PASSWORD }}
          application-id: lifecycle-app
          scan-id: ${{ steps.evaluate.outputs.scan-id }}
          sbom-standard: cyclonedx
          sbom-version: 1.6
          artifact-name: my-sbom

Parameters

iq-server-url
Lifecycle (IQ Server) URL. Required

username
The username to authenticate with Lifecycle (IQ Server). Required

password
The password to authenticate with Lifecycle (IQ Server). Required

application-id
Lifecycle (IQ Server) application ID. Required

scan-id
The scan ID to fetch the report. Required

sbom-standard
The SBOM standard: spdx or cyclonedx. Required

sbom-version
The version of the SBOM standard.
Available CycloneDX versions: 1.2, 1.3, 1.4, 1.5, 1.6 (1.6 as default value). Available SPDX versions: 2.3 (2.3 as default value). Optional

sbom-format
The output file format: json or xml. Default: json. Optional

artifact-name
The name of the artifact to be stored. Default: sbom-document. Optional

push-dependency-graph
If set, the dependency information from the fetched SBOM will be available in GitHub Insights Dependency Graph. Default: false. Optional

token
GitHub Personal Access Token (PAT). Defaults to the PAT provided by the actions runner. Optional