What would you like to be added
I would like that syft was able to index github workflow & github action file to list github action dependencies when generating a SBOM.
I think 2 new type could be added:
Why is this needed
I think that pipeline should also be integrated in the SBOM generation as they're dependencies for a project (e.g: If a pipeline build the final application, generate files, ...).
Additional context
For github action:
steps:
# Reference a specific commit
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
# Reference the major version of a release
- uses: actions/checkout@v3
# Reference a specific version
- uses: actions/checkout@v3.2.0
# Reference a branch
- uses: actions/checkout@main
Syft would have generated the following output:
| Name |
Version |
Type |
| actions/checkout |
8f4b7f84864484a7bf31766abe9204da3cbe65b3 |
github-actions |
| actions/checkout |
v3 |
github-actions |
| actions/checkout |
v3.2.0 |
github-actions |
| actions/checkout |
main |
github-actions |
For github workflow
jobs:
call-workflow-1-in-local-repo:
uses: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89
call-workflow-2-in-local-repo:
uses: ./.github/workflows/workflow-2.yml
call-workflow-in-another-repo:
uses: octo-org/another-repo/.github/workflows/workflow.yml@v1Syft would have parsed:
| Name |
Version |
Type |
| octo-org/this-repo/.github/workflows/workflow-1.yml |
172239021f7ba04fe7327647b213799853a9eb89 |
github-workflows |
| ./.github/workflows/workflow-2.yml |
checksum of the local file 🤔 ? |
github-workflows |
| octo-org/another-repo/.github/workflows/workflow.yml |
v1 |
github-workflows |
What would you like to be added
I would like that
syftwas able to indexgithub workflow&github actionfile to list github action dependencies when generating a SBOM.I think 2 new type could be added:
github-actions: A step that is executing during a job.https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
github-worfklow: A workflow that is call by another workflowhttps://docs.github.com/en/actions/using-workflows/reusing-workflows
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_iduses
Why is this needed
I think that pipeline should also be integrated in the SBOM generation as they're dependencies for a project (e.g: If a pipeline build the final application, generate files, ...).
Additional context
For
github action:Syftwould have generated the following output:For
github workflowSyftwould have parsed: