Summary
Today the action surfaces only a subset of the configuration options that inspector-sbomgen supports, so users cannot fully tune how their scans behave. This issue proposes exposing additional generator options as action inputs to give users finer control over SBOM generation.
All additions are opt-in — defaults remain unchanged, so existing workflows are unaffected.
Proposed options (in implementation priority order)
- Scan machine learning models (
--collect-ml-models) — allow users to include ML models (e.g., Hugging Face) in the inventory.
- Enable additional scanners (
--additional-scanners) — allow users to opt into scanners that are not run by default.
- Include diagnostic SBOM metadata (
--enable-debug-props) — allow users to add extra provenance/debug detail to the SBOM to aid troubleshooting.
- Skip oversized files (
--max-file-size) — allow users to exclude files above a size threshold from scanning.
- Cap file read size (
--max-read-file-size) — allow users to limit how much of a single file is read, avoiding out-of-memory conditions on large artifacts.
- Limit scan depth (
--depth) — allow users to cap how deeply directory scanning recurses.
- Per-path debug logging (
--debug-file-paths) — allow users to enable detailed path-level logging for troubleshooting.
- Custom detection plugins (
--plugin-dir) — allow advanced users to supply their own plugins to extend detection.
Goal
Broaden what users can configure through the action so that CI scans can be tailored to their projects (new artifact types, resource limits, troubleshooting, and extensibility) without having to bypass the action.
Related: #179 (generic passthrough for generator flags) — complementary to the curated inputs proposed here.
Summary
Today the action surfaces only a subset of the configuration options that
inspector-sbomgensupports, so users cannot fully tune how their scans behave. This issue proposes exposing additional generator options as action inputs to give users finer control over SBOM generation.All additions are opt-in — defaults remain unchanged, so existing workflows are unaffected.
Proposed options (in implementation priority order)
--collect-ml-models) — allow users to include ML models (e.g., Hugging Face) in the inventory.--additional-scanners) — allow users to opt into scanners that are not run by default.--enable-debug-props) — allow users to add extra provenance/debug detail to the SBOM to aid troubleshooting.--max-file-size) — allow users to exclude files above a size threshold from scanning.--max-read-file-size) — allow users to limit how much of a single file is read, avoiding out-of-memory conditions on large artifacts.--depth) — allow users to cap how deeply directory scanning recurses.--debug-file-paths) — allow users to enable detailed path-level logging for troubleshooting.--plugin-dir) — allow advanced users to supply their own plugins to extend detection.Goal
Broaden what users can configure through the action so that CI scans can be tailored to their projects (new artifact types, resource limits, troubleshooting, and extensibility) without having to bypass the action.
Related: #179 (generic passthrough for generator flags) — complementary to the curated inputs proposed here.