GitHub action to produce a SBOM report from a given Black Duck project.
When you get your project analyzed in Black Duck, you might also want to be able to create a report in your ci/cd build pipeline.
Black Duck can generate SPDX SBOM, but there is no way of trigger this with the official GitHub Action.
This action will enable you to trigger the creation of a Black Duck report (defaulted to SPDX22). It will also wait for Black Duck to complete the report and download it.
Create Black Duck Report and download it
| parameter | description | required | default |
|---|---|---|---|
| blackduck-url | url to Black Duck instance | true |
|
| blackduck-token | Black Duck API token | true |
|
| project | Project name in Black Duck | true |
|
| version | Version in Black Duck | true |
|
| sbom-type | Type of SBOM report | false |
| parameter | description |
|---|---|
| sbom-file | SBOM filename if created |
| sbom-contents | SBOM content if created |
- uses: philips-software/[email protected]
id: blackduck-report
with:
blackduck-url: https://my-blackduck-server
blackduck-token: ${{ secrets.BLACKDUCK_TOKEN }}
project: my-project
version: my-version
- name: show content - Be careful... sboms are huge.. this might cause some problems with io on GitHub.
run: echo ${{steps.blackduck-report.outputs.sbom-contents}}
- name: Upload artifact
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
with:
name: sbom-report
path: ${{steps.blackduck-report.outputs.sbom-file}}
retention-days: 7./get-blackduck-report.sh <blackduck-url> <blackduck-api-token> <project-name> <version-name>Here you can find an example of a complete workflow including the scanning of a project.
You are welcome to contribute to this repository. Please look in the contributing guide how to do this.
Here you can find the maintainers of this project.
MIT
This action only generates an SBOM report in Black Duck and downloads it. The report is not necessarily providing the correct SBOM.
