GitHub Action to upload generated BOMs to OWASP Dependency-Track.
Please note: node_modules has to be checked in, because the action is using the node_modules of the action itself.
Required full qualified url of your dependency track server.
Required your dependency track api-key.
Required file including path to bomFile, e.g. /build/reports/bom.xml.
Optional project uuid
Optional name of the project
Optional project version.
Optional should the project be automatically created if it does not exist, default is false
.
Please note: either projectUUID
OR (projectName
AND projectVersion
) are Required.
The status code of the upload.
You should have generated your CycloneDX BOM
with the tool of your choice
to build/reports/bom.xml
To upload the bom, you can use one of the following variants:
You specifiy projectName
and projectVersion
and autoCreate: true
and let Dependency-Track create a project for you automatically:
- name: Upload bom to dependency-track instance
uses: attempto-Lab/dependencytrackupload-github-action@v1
id: deptrack
with:
serverUrl: 'https://deptrack.yourhost.org/api/v1/bom'
apiKey: ${{ secrets.DEPENDENCYTRACK_APIKEY }}
bomFile: 'build/reports/bom.xml'
projectName: 'your-fancy-project'
projectVersion: '1.0.0'
autoCreate: true
- name: StatusCode
run: echo "Upload returned ${{ steps.deptrack.outputs.statusCode }}"
You create the project in Dependency-Track beforehand and specifiy the UUID
using the key projectUUID
:
- name: Upload bom to dependency-track instance
uses: attempto-Lab/dependencytrackupload-github-action@v1
id: deptrack
with:
serverUrl: 'https://deptrack.yourhost.org/api/v1/bom'
apiKey: ${{ secrets.DEPENDENCYTRACK_APIKEY }}
bomFile: 'build/reports/bom.xml'
projectUUID: '...PUT YOUR PROJECT-UUID HERE...'
- name: StatusCode
run: echo "Upload returned ${{ steps.deptrack.outputs.statusCode }}"