GitHub Action
Deepbits SBOM Action
A free Github action for open-source projects that enables automated creation and risks (vulnerability, license, malware, etc.) analysis of software bill of materials (SBOM) from code repositories.
Powered by Deepbits.
- Easy to set up and use.
- Scan your code repositories to identify hidden malware.
- Create Software Bill of materials (SBOM) for your code repositories.
- Analyze SBOMs of your project to identify vulnerabilities and license issues.
- Leverage AI and program analysis to deliver better accuracy and performance.
Note: This action only supports public repositories at the moment. Private repositories are not supported.
To use this action, simply add it as a step in your GitHub Actions workflow:
- uses: DeepBitsTechnology/getsbom@v1.5.0jobs:
deepbits-scan:
runs-on: ubuntu-latest
outputs:
SCAN_BADGE: ${{ steps.deepbits-scan.outputs.DEEPBITS_BADGE }}
DEEPSCA_BRANCH_LINK: ${{ steps.deepbits-scan.outputs.DEEPSCA_BRANCH }}
DEEPSCA_REPO_LINK: ${{ steps.deepbits-scan.outputs.DEEPSCA_REPO }}
steps:
- uses: DeepBitsTechnology/getsbom@v1.5.0
id: deepbits-scanAfter the scan is complete, an artifact named DEEPBITS_SCAN_RESULTS will be generated, which contains two files:
| Output | Description |
|---|---|
| deepbits-sbom-{{owner}}-{{repo}}-{{sha}}.zip | A ZIP file consists of the SBOM result, along with the signature of the SBOM and Deepbits’ certificate required for verifying the signature. (For example: deepbits-sbom-DeepBitsTechnology-getsbom-db3bc50.zip) |
| scanSummary.json | Scan result contains vulnerability and malware summary in JSON format |
The structure of the deepbits-sbom-{{owner}}-{{repo}}-{{sha}}.zip file is as follows:
| FileName | Description |
|---|---|
| {{owner}}-{{repo}}-{{sha}}.CycloneDX.json | SBOM in CycloneDX format. (For example: DeepBitsTechnology-getsbom-db3bc50.CycloneDX.json) |
| CycloneDX.signature.bin | The signature of the SBOM |
| deepbits.cert | Deepbits’ certificate required for verifying the signature |
| README.md | Contains instructions on how to verify the signature |
We have included a sample folder called sample_scan_results in the repository here.
It contains example artifacts generated by our action that you can use to analyze and view scan results.
We hope that these examples will help you understand the capabilities of our action and how it can enhance the security and compliance of your project.
In addition to the artifact, you may also view the scan results and your previous scan histories on DeepSCA.
Additionally, a SVG is available that can be included in your README file.
To obtain these outputs, please refer to the three options listed below:
| Output | Description |
|---|---|
| DEEPSCA_REPO | The URL to access the repo details of DeepSCA |
| DEEPSCA_BRANCH | The URL to access the scan report of the branch on DeepSCA |
| DEEPBITS_BADGE | A SVG badge displaying the status of the the repo |
You can add the SVG badge to your README.md file like this:
[]({{DEEPSCA_REPO}})For example, the badge for this repository is:
[](https://tools.deepbits.com/github/DeepBitsTechnology/getsbom)The image below is a screenshot of a scan result on DeepSCA, which is accessible through the DEEPSCA_BRANCH output.
The scan results displayed in DeepSCA are interactive and allow you to view detailed information about the components used in your project, as well as any vulnerabilities or licensing issues detected during the scan.
Click this URL to see the comprehensive view of the screenshot results.
This project is licensed under the MIT License. Please see the LICENSE file for more information.
If you encounter any issues or have any questions about the Deepbits SBOM GitHub Action, please feel free to contact us at help@deepbits.com. We are always happy to help!