sbom/action.yaml at main · scality/sbom · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
---
name: "Scality SBOM Action"
description: "Creates an SBOM (Software Bill Of Materials) from your code, and artifacts."
author: "Scality"
branding:
  color: blue
  icon: shield
inputs:
  grype_version:
    description: "The version of grype to use"
    required: false

  syft_version:
    description: "The version of syft to use"
    required: false

  target:
    description: "The target to scan"
    required: true

  target_type:
    description: "The type of target to scan"
    required: false

  output_format:
    description: "The SBOM format to export"
    required: false

  output_file:
    description: "A file location to store the SBOM"
    required: false

  output_dir:
    description: "A directory location to store the SBOM"
    required: false

  exclude_mediatypes:
    description: "Exclude specific media types from the SBOM"
    required: false

  distro:
    description: "The Linux distribution of the target, on the format 'distro:version', if not detected"
    required: false

  name:
    description: "The name of the target, if not detected"
    required: false

  version:
    description: "The version of the target, if not detected"
    required: false

  merge:
    description: "Merge generated SBOMs into a single file, only for CycloneDX"
    required: false

  merge_hierarchical:
    description: "Merge generated SBOMs into a single file, only for CycloneDX"
    required: false

  vuln:
    description: "Check for vulnerabilities"
    required: false

  vuln_output_format:
    description: "Vulnerability output format"
    required: false

  vuln_output_file:
    description: "A file location to store the vulnerability report"
    required: false

runs:
  using: "composite"
  steps:
    - name: Install Python 3
      uses: actions/setup-python@v6
      with:
        python-version: "3.13"

    - name: Install python deps
      shell: bash
      run: |
        if [ -f "${{ github.action_path }}/requirements.txt" ]; then
          pip install -r "${{ github.action_path }}/requirements.txt"
        else
          echo "No requirements.txt found; skipping Python dependencies installation."
        fi

    - name: Install dependencies
      shell: bash
      run: |
          export DEBIAN_FRONTEND=noninteractive && \
          sudo apt-get update && \
          sudo apt-get install --no-install-recommends -y \
          file \
          jq \
          p7zip-full \
          python3-setuptools

    - name: Install scanners
      shell: bash
      env:
        INPUT_GRYPE_VERSION: ${{ inputs.grype_version }}
        INPUT_SYFT_VERSION: ${{ inputs.syft_version }}
      run: python3 ${{ github.action_path }}/src/main.py install

    - name: Run the scan
      shell: bash
      env:
        INPUT_TARGET: ${{ inputs.target }}
        INPUT_TARGET_TYPE: ${{ inputs.target_type }}
        INPUT_OUTPUT_FORMAT: ${{ inputs.output_format }}
        INPUT_OUTPUT_FILE: ${{ inputs.output_file }}
        INPUT_OUTPUT_DIR: ${{ inputs.output_dir }}
        INPUT_EXCLUDE_MEDIATYPES: ${{ inputs.exclude_mediatypes }}
        INPUT_DISTRO: ${{ inputs.distro }}
        INPUT_NAME: ${{ inputs.name }}
        INPUT_VERSION: ${{ inputs.version }}
        INPUT_MERGE: ${{ inputs.merge }}
        INPUT_MERGE_HIERARCHICAL: ${{ inputs.merge_hierarchical }}
        INPUT_VULN: ${{ inputs.vuln }}
        INPUT_VULN_OUTPUT_FORMAT: ${{ inputs.vuln_output_format }}
        INPUT_VULN_OUTPUT_FILE: ${{ inputs.vuln_output_file }}
      run: python3 ${{ github.action_path }}/src/main.py scan