Skip to content

Expose additional inspector-sbomgen configuration options as action inputs #189

Description

@bluesentinelsec

Summary

Today the action surfaces only a subset of the configuration options that inspector-sbomgen supports, so users cannot fully tune how their scans behave. This issue proposes exposing additional generator options as action inputs to give users finer control over SBOM generation.

All additions are opt-in — defaults remain unchanged, so existing workflows are unaffected.

Proposed options (in implementation priority order)

  1. Scan machine learning models (--collect-ml-models) — allow users to include ML models (e.g., Hugging Face) in the inventory.
  2. Enable additional scanners (--additional-scanners) — allow users to opt into scanners that are not run by default.
  3. Include diagnostic SBOM metadata (--enable-debug-props) — allow users to add extra provenance/debug detail to the SBOM to aid troubleshooting.
  4. Skip oversized files (--max-file-size) — allow users to exclude files above a size threshold from scanning.
  5. Cap file read size (--max-read-file-size) — allow users to limit how much of a single file is read, avoiding out-of-memory conditions on large artifacts.
  6. Limit scan depth (--depth) — allow users to cap how deeply directory scanning recurses.
  7. Per-path debug logging (--debug-file-paths) — allow users to enable detailed path-level logging for troubleshooting.
  8. Custom detection plugins (--plugin-dir) — allow advanced users to supply their own plugins to extend detection.

Goal

Broaden what users can configure through the action so that CI scans can be tailored to their projects (new artifact types, resource limits, troubleshooting, and extensibility) without having to bypass the action.

Related: #179 (generic passthrough for generator flags) — complementary to the curated inputs proposed here.

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions