Note
This GitHub Action is considered deprecated.
Instead, you may use one of the following tools in your github workflow:
- for NPM projects:
@yclonedx/cyclonedx-npm- name: Create SBOM step # see for usage: https://www.npmjs.com/package/%40cyclonedx/cyclonedx-npm run: npx @cyclonedx/cyclonedx-npm --help
- for YARN projects:
@cyclonedx/yarn-plugin-cyclonedx- name: Create SBOM step # see for usage: https://www.npmjs.com/package/%40cyclonedx/yarn-plugin-cyclonedx run: yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --help
- for PNPM projects: to be announced
For other Node.js related CycloneDX SBOM generators, see also: https://github.com/CycloneDX/cyclonedx-node-module/blob/master/README.md#out-of-scope
This GitHub action will create a a valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies. CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.
This GitHub action requires a node_modules directory so this action will typically need to run after an npm build.
The path to a Node.js project, default is "./"
Be sure to quote paths with spaces.
Output filename, default is "./bom.xml"
Be sure to quote paths with spaces.
uses: CycloneDX/gh-node-module-generatebom@v1- name: Create SBOM step
uses: CycloneDX/gh-node-module-generatebom@v1
with:
path: './node_project/'
output: './bom_directory/test.app.bom.xml'name: Build javascript project
on: push
jobs:
build:
runs-on: ubuntu-latest
name: Install and build javascript
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '16'
- run: npm install
- name: Create SBOM with CycloneDX
uses: CycloneDX/gh-node-module-generatebom@v1
with:
output: './test.app.bom.xml'This action uses @cyclonedx/bom@<4. See @cyclonedx/bom in NPMjs.