This GitHub action will create a a valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies. CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.
This GitHub action requires a node_modules directory so this action will typically need to run after an npm build.
The path to a Node.js project, default is "./"
Be sure to quote paths with spaces.
Output filename, default is "./bom.xml"
Be sure to quote paths with spaces.
uses: CycloneDX/gh-node-module-generatebom@v1
- name: Create SBOM step
uses: CycloneDX/gh-node-module-generatebom@v1
with:
path: './node_project/'
output: './bom_directory/test.app.bom.xml'
name: Build javascript project
on: push
jobs:
build:
runs-on: ubuntu-latest
name: Install and build javascript
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '16'
- run: npm install
- name: Create SBOM with CycloneDX
uses: CycloneDX/gh-node-module-generatebom@v1
with:
output: './test.app.bom.xml'
This action uses @cyclonedx/bom@<4
. See @cyclonedx/bom
in NPMjs.