SBOM Action

GitHub Action with two behaviours related to SBOMs for container images. Both expect an SBOM to be available on disk for an image that was just built (I suggest aquasec/trivy-action).

When triggered from a pull request, the action will:

Fetch the SBOM associated with the base-image input (by default: the :latest tag in the GitHub container registry).
Compare the base-image SBOM to a local SBOM.
Post a comment to the triggering pull request if there is any difference in detected packages or vulnerabilities.

When triggered from a schedule or workflow dispatch event, the action will:

Fetch the SBOM associated with the base-image input.
Compare the base-image SBOM to a local SBOM.
Open a new pull request if there is any difference in detected packages.

You can see this in use in: https://github.com/thepwagner-org/actions

Name		Name	Last commit message	Last commit date
Latest commit History 1,189 Commits
.github/workflows		.github/workflows
__tests__		__tests__
dist		dist
src		src
.eslintignore		.eslintignore
.eslintrc.json		.eslintrc.json
.gitattributes		.gitattributes
.gitignore		.gitignore
.prettierignore		.prettierignore
.prettierrc.json		.prettierrc.json
LICENSE		LICENSE
README.md		README.md
action.yml		action.yml
jest.config.js		jest.config.js
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

SBOM Action

About

Releases 9

Packages

Contributors 3

Languages

License

thepwagner/sbom-action

Folders and files

Latest commit

History

Repository files navigation

SBOM Action

About

Resources

License

Stars

Watchers

Forks

Releases 9

Packages 0

Contributors 3

Languages

Packages