feat(SBOM): Support SBOM generation

[simar7]

This adds support for Trivy's SBOM generation.

Signed-off-by: Simar simar@linux.com

[krol3]

LGTM

[simar7]

Sorry I don't know what is going with GitHub's inline comments at the moment. But to reply to the feedback above:

1. Added a way to submit results within the Action itself: cc @knqyf263

      - name: Run Trivy in GitHub SBOM mode and upload results
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'sbom'
          format: 'github'
          output: 'dependency-results.sbom.json'
          artifact-type: 'fs'
          image-ref: '.'
          github-pat: ${{ secrets.PAT_TOKEN }}

2. Update README in a few places. cc @achton
3. Maybe Trivy can add --no-progress as a global option as today sbom doesn't have it cc @knqyf263 (see discussion at feat(SBOM): Support SBOM generation #129 (comment) if you are still able to see this comment)

[knqyf263]

1. Added a way to submit results within the Action itself: cc @knqyf263

Looks good. Thanks!

3. Maybe Trivy can add --no-progress as a global option as today sbom doesn't have it

The sbom subcommand is kind of like experimental and a bit flaky now. Can we use fs instead?

[simar7]

1. Added a way to submit results within the Action itself: cc @knqyf263

Looks good. Thanks!

3. Maybe Trivy can add --no-progress as a global option as today sbom doesn't have it

The sbom subcommand is kind of like experimental and a bit flaky now. Can we use fs instead?

Changed it to run fs scan instead. That helped eliminate one more option of artifact-Type so it's more clearer now.

name: Pull Request
on:
  push:
    branches:
    - master
  pull_request:
jobs:
  build:
    name: Checks
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: 'github'
          output: 'dependency-results.sbom.json'
          image-ref: '.'
          github-pat: '<github_pat_token>'

[itaysk]

this is great. one small suggestion: so now if format=github the action will decide to automatically post the output to github. this is convenient but possibly too "magical" for people who don't expect it. So maybe a way to keep it convenient but less "magic" is to only post to github if specified by for example an output option like output=github (or `github-dependency-snapshot). just a suggestion

[simar7]

this is great. one small suggestion: so now if format=github the action will decide to automatically post the output to github. this is convenient but possibly too "magical" for people who don't expect it. So maybe a way to keep it convenient but less "magic" is to only post to github if specified by for example an output option like output=github (or `github-dependency-snapshot). just a suggestion

I thought about it as well. I concluded with the fact that anyone whose looking to generate a GitHub-compliant SBOM most likely isn't going to use it on their own but rather submit it to GitHub Dependency Snapshot. This is more of an exception (compared to other sbom formats) but it is the common use case for GitHub format.

So I decided to go ahead with Teppei's idea. We can always change it in the future if it becomes otherwise.