scality
diff --git a/‎.devcontainer/Dockerfile‎
Lines changed: 0 additions & 14 deletions b/‎.devcontainer/Dockerfile‎
Lines changed: 0 additions & 14 deletions
diff --git a/‎.devcontainer/devcontainer.json‎
Lines changed: 18 additions & 5 deletions b/‎.devcontainer/devcontainer.json‎
Lines changed: 18 additions & 5 deletions
diff --git a/‎.devcontainer/requirements.txt‎
Lines changed: 3 additions & 1 deletion b/‎.devcontainer/requirements.txt‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.devcontainer/setup.sh‎
100644100755
Lines changed: 6 additions & 0 deletions b/‎.devcontainer/setup.sh‎
100644100755
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/tests.yaml‎
Lines changed: 28 additions & 30 deletions b/‎.github/workflows/tests.yaml‎
Lines changed: 28 additions & 30 deletions
diff --git a/‎.gitignore‎
Lines changed: 0 additions & 7 deletions b/‎.gitignore‎
Lines changed: 0 additions & 7 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 23 additions & 0 deletions b/‎CONTRIBUTING.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 133 additions & 24 deletions b/‎README.md‎
Lines changed: 133 additions & 24 deletions
@@ -1,18 +1,5 @@
 FROM mcr.microsoft.com/devcontainers/base:jammy
 
-RUN export DEBIAN_FRONTEND=noninteractive && \
-    curl -O -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh && \
-    sudo sh install.sh -b /usr/local/bin
-
-RUN export DEBIAN_FRONTEND=noninteractive && \
-    curl -O -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh && \
-    sudo sh install.sh -b /usr/local/bin
-
-RUN export DEBIAN_FRONTEND=noninteractive && \
-    curl -O -sSfL https://aquasecurity.github.io/trivy-repo/deb/public.key && \
-    sudo apt-key add public.key && \
-    echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | tee -a /etc/apt/sources.list.d/trivy.list
-
 RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get update && \
     apt-get install --no-install-recommends -y \
@@ -25,7 +12,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
         p7zip-full \
         skopeo \
         tmux \
-        trivy \
         vim \
         && \
     apt-get clean
 
@@ -5,19 +5,32 @@
   },
   "features": {
     "ghcr.io/devcontainers/features/github-cli:1": {},
-    "ghcr.io/devcontainers/features/sshd:1": {}
+    "ghcr.io/devcontainers/features/sshd:1": {},
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {}
   },
   "customizations": {
     "vscode": {
       "extensions": [
+        //Python support
+        "ms-python.python",
+        //Python test explorer
+        "littlefoxteam.vscode-python-test-adapter",
+        //PEP Pyton formatter
+        "ms-python.black-formatter",
+        //Python debugger
+        "ms-python.debugpy",
+        //Github Action helper
         "github.vscode-github-actions",
+        //Github Copilot
         "GitHub.copilot",
+        //Github Copilot chat
         "GitHub.copilot-chat",
+        //Github Pull Request
         "GitHub.vscode-pull-request-github",
-        "ms-vscode-remote.remote-containers",
+        //Git history
         "donjayamanne.githistory",
-        "solomonkinard.git-blame",
-        "ms-python.python"
+        //Git blame
+        "solomonkinard.git-blame"
       ],
       "settings": {
         "terminal.integrated.profiles.linux": {
@@ -31,5 +44,5 @@
     }
   },
   "remoteUser": "vscode",
-  "postCreateCommand": ".devcontainer/setup.sh"
+  "postCreateCommand": "bash .devcontainer/setup.sh"
 }
@@ -1,2 +1,4 @@
 requests==2.31.0
-GitPython==3.1.43
+GitPython==3.1.43
+pyunpack==0.3
+patool==2.2.0
@@ -19,4 +19,10 @@ fi
 echo "Updating localtime"
 sudo ln -fs /usr/share/zoneinfo/UTC /etc/localtime
 
+# Install act
+gh extension install https://github.com/nektos/gh-act
+
+# Install dependencies
+echo "Installing dependencies"
+python3 src/main.py install
 echo "End of setup"
@@ -2,56 +2,54 @@ name: "action-test"
 on:
   push:
   pull_request:
-  workflow_dispatch:
-    inputs:
-      ref:
-        description: "the git revision to checkout"
-        required: false
-      repo:
-        description: "repository to scan"
-        required: false
-      input_path:
-        description: "path to the repository"
-        default: "."
-        required: false
-      output_path:
-        description: "path to store the sbom"
-        default: "."
-        required: false
 
 jobs:
-
   test-as-action:
     runs-on: ubuntu-22.04
     steps:
-
       - name: Checkout
         uses: actions/checkout@v4
         with:
           path: ./
+          fetch-depth: 0
+          fetch-tags: true
 
-      - name: Install syft
+      - name: Download artifact
         shell: bash
-        run: |
-          export DEBIAN_FRONTEND=noninteractive && \
-          curl -O -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh && \
-          sudo sh install.sh -b /usr/local/bin
+        run: curl -o /tmp/Core-15.0.iso https://distro.ibiblio.org/tinycorelinux/15.x/x86/release/Core-15.0.iso
+
+      - name: Scan repo
+        uses: ./
+        with:
+          target: ./
+          output-dir: "/tmp/test/sbom"
+          syft-version: "1.1.0"
+          vuln-report: True
 
-      - name: Run syft
+      - name: Scan directory
         uses: ./
         with:
-          repo: sbom-test
-          input_path: ./tests
-          output_path: .
-          generate_vulnerability_report: "true"
+          target: /etc
+          output-dir: "/tmp/test/sbom"
+          name: "ghactionetc"
+
+      - name: Scan iso
+        uses: ./
+        with:
+          target: /tmp/Core-15.0.iso
+          output-dir: "/tmp/test/sbom"
+          version: "15.0"
+          name: "tinycorelinux"
+          vuln-report: False
 
       - name: Print the content of generated sbom file
+        shell: bash
         run: |
-          for sbom in repo_*.json; do
+          for sbom in /tmp/test/sbom/*.json; do
             echo "Content of $sbom"
             cat $sbom
           done
-          for sbom in repo_*.html; do
+          for sbom in /tmp/test/sbom/reports/*.html; do
             echo "Content of vulnerability result for SBOM: $sbom"
             cat $sbom
           done
@@ -66,8 +66,6 @@ dist/
 downloads/
 eggs/
 .eggs/
-lib/
-lib64/
 parts/
 sdist/
 var/
@@ -223,11 +221,6 @@ pyrightconfig.json
 
 ### VisualStudioCode ###
 .vscode/*
-!.vscode/settings.json
-!.vscode/tasks.json
-!.vscode/launch.json
-!.vscode/extensions.json
-!.vscode/*.code-snippets
 
 # Local History for Visual Studio Code
 .history/
 
@@ -0,0 +1,23 @@
+# Contributing
+
+Contributions are welcome! Please follow the guidelines below.
+
+## Codespaces
+
+This project is configured to work with GitHub Codespaces. To open the project in a Codespace, click the button below:
+
+[![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/scality/sbom)
+
+## Run the action locally
+
+`act` can be used to run the GitHub Actions workflow locally.
+It has been installed through the `gh` extension.
+To run the workflow locally, execute the following command:
+
+```bash
+gh act push --rm --workflows=.github/workflows/tests.yaml -P ubuntu-22.04=ghcr.io/catthehacker/ubuntu:act-22.04
+```
+
+For more information on how to use `act`, please refer to the [official documentation] or run `gh act --help`.
+
+[official documentation]: https://nektosact.com/introduction.html
@@ -1,45 +1,154 @@
 # Generate SBOM GitHub Action
 
-This action generates a Software Bill of Materials (SBOM) from git repositories using [Syft](https://github.com/anchore/syft).
+[![GitHub release](https://img.shields.io/github/release/scality/sbom.svg)](https://github.com/scality/sbom/releases/latest)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/anchore/sbom-action/blob/main/LICENSE)
 
-Syft will search in the entire repository and generate a sbom file for each language.
+A GitHub Action for creating a software bill of materials (SBOM)
+using [Syft](https://github.com/anchore/syft).
 
-Actually, only those languages are supported:
+## Basic Usage
 
-- python
-- go
-- javascript
-- github-actions
+```yaml
+- uses: scality/sbom@v1
+  with:
+    target: ./
+```
 
-If you need to add more syft cataloger, please open an issue.
+This will create SBOM result files based on type, ex: 
 
-## Inputs
+- repo_sbom_v1.1.0-4-gd6cdf1f.json
+- repo_sbom_v1.2.0.json
+- image_nginx_latest.json
+- iso_myiso.iso_128.json
 
-### `ref`
+If you want to scan a repository, you have to checkout it with `fetch-tags`.
+This is mandatory to get repo version for SBOM filename. 
 
-The git revision to checkout. Default is the current commit SHA.
+```yaml
+- uses: actions/checkout@v4  
+  with:  
+    fetch-depth: 0  
+    fetch-tags: true  
+```
 
-### `repo`
+## Configuration
 
-The repository to scan. This is required.
+### scality/sbom
 
-### `input_path`
+The main [SBOM action](action.yml), responsible for generating SBOMs.
 
-The path to the repository. This is required.
+| Parameter                   | Description                                                                           | Default                |
+| --------------------------- | ------------------------------------------------------------------------------------- | ---------------------- |
+| `grype-version`             | Grype version to use                                                                  | 0.77.2                 |
+| `sfyt-version`              | Syft version to use                                                                   | 1.2.0                  |
+| `trivy-version`             | Trivy version to use                                                                  | 0.50.1                 |
+| `target`                    | A file/directory/iso on the filesystem to scan.                                       | \<current directory>   |
+| `format`                    | Format of SBOM file.                                                                  | cyclonedx-json         |
+| `name`                      | Name of the target, if you need to overwrite the detected.                            |                        |
+| `version`                   | Version of the target, if you need to overwrite the detected. ISO have no version.    |                        |
+| `output_dir`                | Path to store generated SBOM files.                                                   | /tmp/sbom              |
+| `exclude_mediatypes`        | Media types to exclude for images.                                                    |                        |
+| `vuln_report`               | Generate vuln report using Grype.                                                     |                        |
 
-### `output_path`
+## Example Usage
 
-The path to store the SBOM. This is required.
+### Scan with a specific format
+
+Use the `path` parameter, relative to the repository root:
+
+```yaml
+- uses: scality/sbom@v1
+  with:
+    target: ./artifacts
+    format: cyclonedx-json
+```
+
+### Exclude mediatypes for container images
+
+Images created with Oras for example have custom mediatype and are not usable
+by Skopeo, they have to be excluded. 
+
+```yaml
+- uses: scality/sbom@v1
+  with:
+    target: ./images
+    exclude_mediatypes: "application/grafana-dashboard+json text/nginx-conf-template"
+```
 
-## Example usage
+### Full example
 
 ```yaml
-uses: scality/sbom@v1
-with:
-  ref: ${{ github.sha }}
-  repo: 'your-repo-to-scan'
-  input_path: 'path-to-your-repo'
-  output_path: 'path-to-store-sbom'
+name: "Generate sbom"
+on:
+  workflow_dispatch:
+  workflow_call:
+jobs:
+  generate-sbom:
+    runs-on: ubuntu-22.04
+    env:
+      BASE_PATH: ${{ github.workspace }}/workdir
+      SBOM_PATH: ${{ github.workspace }}/artifacts/sbom
+    steps:
+      - name: Create directories
+        shell: bash
+        run: |
+          mkdir -p ${{ env.BASE_PATH }}/repo
+          mkdir -p ${{ env.BASE_PATH }}/iso
+          mkdir -p ${{ env.SBOM_PATH }}
+      - name: Checkout repo for scanning
+        uses: actions/checkout@v4  
+        with:  
+          fetch-depth: 0  
+          fetch-tags: true
+          path: ${{ env.BASE_PATH }}/repo/myrepo
+      - name: Generate sbom for repository
+        uses: scality/sbom@v1.2.0
+        with:
+          target: ${{ env.BASE_PATH }}/repo/myrepo
+          output-dir: ${{ env.SBOM_PATH }}
+      - name: Get artifacts URL
+        uses: scality/action-artifacts@v4
+        id: artifacts
+        with:
+          method: setup
+          url: https://artifactmanager.net
+          user: ${{ secrets.ARTIFACTS_USER }}
+          password: ${{ secrets.ARTIFACTS_PASSWORD }}
+      - name: Donwload artifacts
+        shell: bash
+        env:
+          ARTIFACTS_URL: ${{ steps.artifacts.outputs.link }}
+          ARTIFACTS_USER: ${{ secrets.ARTIFACTS_USER }}
+          ARTIFACTS_PASSWORD: ${{ secrets.ARTIFACTS_PASSWORD }}
+        run: |
+          echo "Downloading my.iso from $ARTIFACTS_URL"
+          curl -sSfL -o ${{ env.BASE_PATH }}/iso/my.iso -u $ARTIFACTS_USER:$ARTIFACTS_PASSWORD $ARTIFACTS_URL/my.iso
+      - name: Generate sbom for ISO
+        uses: scality/sbom@v1.2.0
+        with:
+          target: ${{ env.BASE_PATH }}/iso/my.iso
+          version: "1.0.0"  # Make sure to replace this with the actual ISO version
+          output-dir: ${{ env.SBOM_PATH }}
+      - name: Generate archive
+        shell: bash
+        run: |
+          cd ${{ env.SBOM_PATH }}
+          tar -czf sbom_myproject.tar.gz *.json
+      - name: Clean up
+        shell: bash
+        run: |
+          rm -rf ${{ env.BASE_PATH }}/repo
+          rm -rf ${{ env.BASE_PATH }}/iso
+          rm -f ${{ env.SBOM_PATH }}/*.json
+      - name: Upload artifacts
+        if: always()
+        uses: scality/action-artifacts@v4
+        with:
+          method: upload
+          url: https://artifactmanager.net
+          user: ${{ secrets.USER }}
+          password: ${{ secrets.PASSWORD }}
+          source: artifacts
 ```
 
 ## References