GitHub Community
Support SBOM format in actions #18918
Replies: 2 comments 1 reply
-
|
Support for the CycloneDX standard would be ideal as it’s already supported by the majority of SCA and related security vendors , and has already been standardized upon by GitLab. Support in Actions would provide an easy path forward for many organizations, and provide the Interop they require. |
Beta Was this translation helpful? Give feedback.
-
|
We started a prototype on https://github.com/evryfs/sbom-dependency-submission-action (not working as of now) |
Beta Was this translation helpful? Give feedback.
-
|
SPDX is another important, and widely used, open-source standard. NTIA has come up with a mapping between the standards, so it may be possible to support both: https://www.ntia.gov/files/ntia/publications/sbom_formats_survey-version-2021.pdf. |
Beta Was this translation helpful? Give feedback.
-
It would be good if the tooling could support SBOM formats: https://anchore.com/sbom/key-things-to-know-about-sboms-and-sbom-standards/
That way you can rely on a standard for software bill of material, rather than having to have implementations for the various languages (like pom.xml etc), sbom tooling already support things like python, maven etc, and thus a bridge for sbom -> github dependency api is all that's needed
https://github.com/CycloneDX/cyclonedx-maven-plugin
https://github.com/anchore/syft
Beta Was this translation helpful? Give feedback.
All reactions