sbomify

Version updated for https://github.com/sbomify/github-action to version v0.12.

  • This action is used across all versions by 24 repositories.

Go to the GitHub Marketplace to find the latest changes.

Action Summary

The sbomify GitHub Action automates the generation, augmentation, and management of Software Bill of Materials (SBOMs) directly within CI/CD pipelines. It supports creating SBOMs in CycloneDX or SPDX formats from source code dependencies, Docker images, and other artifacts, while enriching them with metadata for enhanced traceability, compliance, and security. This action streamlines SBOM management, enabling cryptographic signing, attestation, and integration with tools like sbomify for collaboration and vulnerability management.

Release notes

New Features

CRA (Cyber Resilience Act) Compliance Support

  • Added security_contact field for vulnerability reporting (URL/email)
  • Added support_period_end field for security support end date
  • Expanded lifecycle event support with release_date and end_of_life fields
  • Both CycloneDX and SPDX formats supported

SPDX Product Tagging

  • Added product metadata tagging for SPDX SBOMs, bringing parity with CycloneDX

Tool Version Checker

  • Added bin/check_tool_versions.py script to check and update bundled tool versions from GitHub releases

Improvements

Better Error Handling

  • Added DockerImageNotFoundError for clearer errors when Docker images don’t exist
  • Improved duplicate SBOM upload handling with graceful error recovery
  • Better error messages for duplicate uploads with version hints

Updated Bundled Tools

  • Trivy: 0.67.2 → 0.68.2
  • Syft: 1.39.0 → 1.40.1

Bug Fixes

  • Fixed SPDX schema resolution error during validation
  • Fixed SPDX lockfile detection for full paths generated by Trivy
  • Fixed Docker tag mismatch in production container SBOM jobs