|
| 1 | +# SBOM & Vulnerability Scanning Automation |
| 2 | + |
| 3 | +This repository uses GitHub Actions to automatically generate a Software Bill of Materials (SBOM), scan for vulnerabilities, and produce package inventory reports. |
| 4 | + |
| 5 | +All reports are named with the repository name for easy identification. |
| 6 | + |
| 7 | +## Features |
| 8 | + |
| 9 | +SBOM Generation: Uses Syft to generate an SPDX JSON SBOM. |
| 10 | +SBOM Merging: Merges SBOMs for multiple tools if needed. |
| 11 | +SBOM to CSV: Converts SBOM JSON to a CSV report. |
| 12 | +Vulnerability Scanning: Uses Grype to scan the SBOM for vulnerabilities and outputs a CSV report. |
| 13 | +Package Inventory: Extracts a simple package list (name, type, version) as a CSV. |
| 14 | +Artifacts: All reports are uploaded as workflow artifacts with the repository name in the filename. |
| 15 | + |
| 16 | +## Workflow Overview |
| 17 | + |
| 18 | +The main workflow is defined in .github/workflows/sbom.yml |
| 19 | + |
| 20 | +## Scripts |
| 21 | + |
| 22 | +scripts/create-sbom.sh |
| 23 | +Generates an SBOM for the repo and for specified tools, merging them as needed. |
| 24 | +scripts/update-sbom.py |
| 25 | +Merges additional SBOMs into the main SBOM. |
| 26 | +.github/scripts/sbom_json_to_csv.py |
| 27 | +Converts the SBOM JSON to a detailed CSV report. |
| 28 | +.github/scripts/grype_json_to_csv.py |
| 29 | +Converts Grype’s vulnerability scan JSON output to a CSV report. |
| 30 | +Output columns: REPO, NAME, INSTALLED, FIXED-IN, TYPE, VULNERABILITY, SEVERITY |
| 31 | +.github/scripts/sbom_packages_to_csv.py |
| 32 | +Extracts a simple package inventory from the SBOM. |
| 33 | +Output columns: name, type, version |
| 34 | + |
| 35 | +## Example Reports |
| 36 | + |
| 37 | +Vulnerability Report |
| 38 | +grype-report-[RepoName].csv |
| 39 | +REPO,NAME,INSTALLED,FIXED-IN,TYPE,VULNERABILITY,SEVERITY |
| 40 | +my-repo,Flask,2.1.2,,library,CVE-2022-12345,High |
| 41 | +... |
| 42 | + |
| 43 | +Package Inventory |
| 44 | +sbom-packages-[RepoName].csv |
| 45 | +name,type,version |
| 46 | +Flask,library,2.1.2 |
| 47 | +Jinja2,library,3.1.2 |
| 48 | +... |
| 49 | + |
| 50 | +## Usage |
| 51 | + |
| 52 | +Push to main branch or run the workflow manually. |
| 53 | +Download artifacts from the workflow run summary. |
| 54 | + |
| 55 | +## Customization |
| 56 | + |
| 57 | +Add more tools to scripts/create-sbom.sh as needed. |
| 58 | +Modify scripts to adjust report formats or add more metadata. |
0 commit comments