Skip to content
Generate SBOM with SBOM tool and load into ScanCode.io

[CRAVEX] SCA Integrations: SBOM tool #12

Sign in to view logs

[CRAVEX] SCA Integrations: SBOM tool

[CRAVEX] SCA Integrations: SBOM tool #12

Workflow file for this run

.github/workflows/sca-integration-sbom-tool.yml at aff66bb
name: Generate SBOM with SBOM tool and load into ScanCode.io
on:
workflow_dispatch:
pull_request:
push:
branches:
- main
permissions:
contents: read
env:
IMAGE_REFERENCE: "python:3.13.0-slim"
jobs:
generate-and-load-sbom:
runs-on: ubuntu-24.04
steps:
- name: Download SBOM tool
run: |
curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
chmod +x $RUNNER_TEMP/sbom-tool
- name: Generate SBOM with SBOM tool
run: |
mkdir -p sbom-output
$RUNNER_TEMP/sbom-tool generate \
-di ${{ env.IMAGE_REFERENCE }} \
-pn DockerImage \
-pv 1.0.0 \
-ps Company \
-nsb https://sbom.company.com \
-m sbom-output \
-V Verbose
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom-output
path: sbom-output
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "sbom-output/_manifest/spdx_2.2/manifest.spdx.json"
- name: Verify SBOM Analysis Results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90"