Skip to content

a Github action that allows automated creation and risks (vulnerability, license, malware, etc.) analysis of software bill of materials from code repositories. .

License

Notifications You must be signed in to change notification settings

DeepBitsTechnology/getsbom

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

SBOM status for Deepbits SBOM Action

Deepbits SBOM Action

A free Github action for open-source projects that enables automated creation and risks (vulnerability, license, malware, etc.) analysis of software bill of materials (SBOM) from code repositories.

Powered by Deepbits.

Features

  • Easy to set up and use.
  • Scan your code repositories to identify hidden malware.
  • Create Software Bill of materials (SBOM) for your code repositories.
  • Analyze SBOMs of your project to identify vulnerabilities and license issues.
  • Leverage AI and program analysis to deliver better accuracy and performance.

Note: This action only supports public repositories at the moment. Private repositories are not supported.

Basic Usage

To use this action, simply add it as a step in your GitHub Actions workflow:

- uses: DeepBitsTechnology/getsbom@v1.5.0

Example Usage

jobs:
  deepbits-scan:
    runs-on: ubuntu-latest
    outputs:
      SCAN_BADGE: ${{ steps.deepbits-scan.outputs.DEEPBITS_BADGE }}
      DEEPSCA_BRANCH_LINK: ${{ steps.deepbits-scan.outputs.DEEPSCA_BRANCH }}
      DEEPSCA_REPO_LINK: ${{ steps.deepbits-scan.outputs.DEEPSCA_REPO }}
    steps:
      - uses: DeepBitsTechnology/getsbom@v1.5.0
        id: deepbits-scan

Actions Artifact

After the scan is complete, an artifact named DEEPBITS_SCAN_RESULTS will be generated, which contains two files:

Output Description
deepbits-sbom-{{owner}}-{{repo}}-{{sha}}.zip A ZIP file consists of the SBOM result, along with the signature of the SBOM and Deepbits’ certificate required for verifying the signature. (For example: deepbits-sbom-DeepBitsTechnology-getsbom-db3bc50.zip)
scanSummary.json Scan result contains vulnerability and malware summary in JSON format

The structure of the deepbits-sbom-{{owner}}-{{repo}}-{{sha}}.zip file is as follows:

FileName Description
{{owner}}-{{repo}}-{{sha}}.CycloneDX.json SBOM in CycloneDX format. (For example: DeepBitsTechnology-getsbom-db3bc50.CycloneDX.json)
CycloneDX.signature.bin The signature of the SBOM
deepbits.cert Deepbits’ certificate required for verifying the signature
README.md Contains instructions on how to verify the signature

We have included a sample folder called sample_scan_results in the repository here.

It contains example artifacts generated by our action that you can use to analyze and view scan results.

We hope that these examples will help you understand the capabilities of our action and how it can enhance the security and compliance of your project.

Actions Outputs

In addition to the artifact, you may also view the scan results and your previous scan histories on DeepSCA.

Additionally, a SVG is available that can be included in your README file.

To obtain these outputs, please refer to the three options listed below:

Output Description
DEEPSCA_REPO The URL to access the repo details of DeepSCA
DEEPSCA_BRANCH The URL to access the scan report of the branch on DeepSCA
DEEPBITS_BADGE A SVG badge displaying the status of the the repo

You can add the SVG badge to your README.md file like this:

[![SBOM status]({{DEEPBITS_BADGE}})]({{DEEPSCA_REPO}})

For example, the badge for this repository is:

[![SBOM status](https://api.deepbits.com/gh/DeepBitsTechnology/getsbom/badge)](https://tools.deepbits.com/github/DeepBitsTechnology/getsbom)

SBOM status

The image below is a screenshot of a scan result on DeepSCA, which is accessible through the DEEPSCA_BRANCH output.

Scan result on DeepSCA

The scan results displayed in DeepSCA are interactive and allow you to view detailed information about the components used in your project, as well as any vulnerabilities or licensing issues detected during the scan.

Click this URL to see the comprehensive view of the screenshot results.

License

This project is licensed under the MIT License. Please see the LICENSE file for more information.

Support

If you encounter any issues or have any questions about the Deepbits SBOM GitHub Action, please feel free to contact us at help@deepbits.com. We are always happy to help!

About

a Github action that allows automated creation and risks (vulnerability, license, malware, etc.) analysis of software bill of materials from code repositories. .

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •