This repository demonstrates SecureSBOM in a real CI/CD workflow using a Maven project containing a vulnerable Log4J 2.14.1 dependency.
It shows how SecureSBOM:
- Generates SBOMs using CycloneDX
- Signs and verifies SBOMs via
shiftleftcyber/secure-sbom-action - Detects tampering (modifications post-signing)
- Enforces security gates before deployment
- Automatically signs SBOMs during GitHub releases
- Runs OSV vulnerability scans (source and SBOM)
demo-app/β Maven project with Log4J 2.14.1.github/workflows/secure-sbom-showcase-maven.ymlβ Main CI/CD workflowosv-report-template.htmlβ Dark terminal-themed SecureSBOM CI/CD reportREADME.mdβ You are here π
- Add repository secrets:
SECURE_SBOM_API_KEYSECURE_SBOM_KEYID- (GitHub automatically provides
GITHUB_TOKEN)
- Trigger the workflow manually under Actions β SecureSBOM Showcase.
- Watch the results:
- Signed SBOM artifacts
- Verification pass/fail
- OSV scan logs
- Tamper detection
- Pretty HTML report in summary or downloadable artifact
Note: This demo intentionally includes a vulnerable dependency (Log4J 2.14.1) for educational purposes only. Do not deploy this code in production.