Skip to content

coauthor-app/capture-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

Capture evidence for Medical Device software development with GitHub Actions and Coauthor

For market approval of a Medical Device by a regulatory or notified body, evidence of compliance
with regulatory requirements (IEC 62304, FDA QSR, MDR etc...). This includes the software development process, such as the requirements, design, implementation, verification, and validation. This GitHub Action captures evidence from each software build in your CD pipeline as it is generated and stores them as a Technical file (DHF) using Coauthor, ready for submission for regulatory approval.

Usage

This action doesn't require an API key or storing another secret, but it does require access to the OIDC token from GitHub's OIDC provider. OIDC tokens are GitHub's recommended way to authenticate from GitHub actions with external systems. An OIDC token is short-lived credential uniquely generated for each GH Actions workflow run. The token includes claims about the workflow run, such as the repository, the workflow, branch, commit sha and the run number, and Coauthor uses these claims to add the correct information to a DHF technical file and demostrates a chain of custody.

To get this to work you will need to configure your workflow to use the id-token: write permission.

    permissions:
      id-token: write
      contents: read

Options

Option Description Required
path A file, directory or wildcard pattern of evidence to be uploaded from the GH workflow run Yes
switem The Software Item (IEC 62340) the evidence is associated with. Defaults to system No
evidence The evidence category: system-verification, integration-verification, cybersecurity Yes
type The type of evidence: bdd, sbom Yes
format The file format of the evidence: cucumber+ndjson, cyclonedx Yes
hostname The hostname of the Coauthor server Yes

Example - Cucumber BDD evidence for system verification

How to upload test results from Cucumber in the ndjson message format. Cucumber has number of report formatters to choose from, this common with compatibility across the different programming language supported by the Cucumber family is the message formatter: cucumber-js --format message:./reports/bdd/cucumber-messages.ndjson"

    uses: coauthor-app/capture-action@main
    with:
      evidence: 'system-verification'
      type: 'bdd'
      format: 'cucumber+ndjson'
      path: 'reports/bdd/**'

Example - SBOM (Software Bill of Materials) for the cybersecurity plan

How to upload a Software Bill of Materials (SBOM) in CycloneDX format. CycloneDX is a lightweight SBOM specification that is easily created and consumed by developers, tools, and services. CycloneDX along with SPDX are valid SBOM formats for the FDA'a cybersecurity requirements as long as the tools generating the SBOM supports meet the NTIA's Minimum Elements for Software Bill of Materials (SBOM) in Cybersecurity Risk Management.

Coauthor or this action do not generate an SBOM, but it can capture the SBOM generated by an appropriate tool. We recommend looking at the SBOM Action that uses Syft or the CycloneDX project for more information on generating SBOMs.

    uses: coauthor-app/capture-action@main
    with:
      evidence: 'cybersecurity'
      type: 'sbom'
      format: 'cyclonedx'
      path: 'reports/sbom/**'

About

www.coauthor.app

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 2

Version 1.0.1 Latest
Jun 28, 2024
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages