Skip to content

philips-software/blackduck-report-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits

.github

.github

 
 

.gitignore

.gitignore

 
 

CODEOWNERS

CODEOWNERS

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

MAINTAINERS.md

MAINTAINERS.md

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

get-blackduck-report.sh

get-blackduck-report.sh

 
 

Repository files navigation

Black Duck report action

GitHub action to produce a SBOM report from a given Black Duck project.

Problem

When you get your project analyzed in Black Duck, you might also want to be able to create a report in your ci/cd build pipeline.

Black Duck can generate SPDX SBOM, but there is no way of trigger this with the official GitHub Action.

Purpose of this action

This action will enable you to trigger the creation of a Black Duck report (defaulted to SPDX22). It will also wait for Black Duck to complete the report and download it.

Usage

Description

Create Black Duck Report and download it

Inputs

parameter description required default
blackduck-url url to Black Duck instance true
blackduck-token Black Duck API token true
project Project name in Black Duck true
version Version in Black Duck true
report-format sbomType "SPDX_22" allows reportFormat values of "JSON", "RDF", "TAGVALUE" or "YAML". sbomType "CYCLONEDX_13" or "CYCLONEDX_14" allows reportFormat values of "JSON". sbomType "VERSION_LICENSE" allows reportFormat value "TEXT". false JSON
sbom-type Type of SBOM report. Allowed values - SPDX_22, CYCLONEDX_13, CYCLONEDX_14, or VERSION_LICENSE false SPDX_22

Outputs

parameter description
sbom-file SBOM filename if created
sbom-contents SBOM content if created

Example usage

- uses: philips-software/blackduck-report-action@v0.3
  id: blackduck-report
  with:
    blackduck-url: https://my-blackduck-server
    blackduck-token: ${{ secrets.BLACKDUCK_TOKEN }}
    project: my-project
    version: my-version

- name: show content - Be careful... sboms are huge.. this might cause some problems with io on GitHub.
  run: echo ${{steps.blackduck-report.outputs.sbom-contents}}

- name: Upload artifact
  uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
  with:
    name: sbom-report
    path: ${{steps.blackduck-report.outputs.sbom-file}}
    retention-days: 7

Script only

./get-blackduck-report.sh <blackduck-url> <blackduck-api-token> <project-name> <version-name>

Example

Here you can find an example of a complete workflow including the scanning of a project.

Contributing

You are welcome to contribute to this repository. Please look in the contributing guide how to do this.

Maintainers

Here you can find the maintainers of this project.

License

MIT

SBOM

This action only generates an SBOM report in Black Duck and downloads it. The report is not necessarily providing the correct SBOM.

About

GitHub action to produce a SBOM report from a given Black Duck project

Topics

blackduck software-bill-of-material

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

11 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases 4

v0.4 Latest
Nov 24, 2023
+ 3 releases

Packages

No packages published

Contributors 7

Languages