This repository uses GitHub's dependency graph to automatically build an SBOM in SPDX 2.3 format. It supports the same ecosystems as the dependency graph. If you need support for a different set of formats, we recommend having a look at the Microsoft SBOM Tool, or Anchore's Syft.

You can add this Action to a GitHub Actions workflow by adding the following YAML to a workflow file. This publishes the SBOM as an artifact in the Actions workflow run.

name: SBOM Generator

on:
  push:
    branches: [ "main" ]

  workflow_dispatch:

permissions: read-all

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - uses: advanced-security/sbom-generator-action@v0.0.1
        id: sbom
        env: 
          GITHUB_TOKEN: ${{ github.token }}
      - uses: actions/upload-artifact@v3.1.0
        with: 
          path: ${{steps.sbom.outputs.fileName }}
          name: "SBOM"

1. Clone this repository to your local machine.
2. Change to that directory and run npm install -g . to install this CLI locally
3. Run sbom-generator "githubtoken" "owner/name" where githubtoken is a legacy GitHub token with repository read permission and owner/name matches a GitHub repository. Alternatively, this script will automatically populate those values from the GITHUB_TOKEN and GITHUB_REPOSITORY environment variables.

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.