This action uses Syft to create a SBOM (Software Bill of Materials). It archive the result as an output of the Github Action run.
Add this step after building and pushing your container image to GitHub's registry:
- name: Create SBOM
uses: digitalservicebund/create-sbom@LATEST_HASH
with:
image_name: ${{ github.repository }}:${{ github.sha }}Inputs:
image_name: required. Target image for which the SBOM should be created.output_format: optional. Output format of the SBOM. Available formats listed here.
After merging a dependabot PR or pushing changes, you need to cut a new release.