This workflow will create a Software Bill of Materials (SBOM) for the repository using the
anchore/sbom-action Action and then scan the SBOM
using the anchore/scan-action Action. It runs on the ubuntu-latest runner label,
uses the default version of Python available on the runner, and will use the latest compatible
version of poetry to generate the lock file for the calling
repository's Python package.
Important
In order to use this workflow, the Python package must be using the Poetry package manager.
Important
When calling this reusable workflow, the permissions must be set as follows:
permissions:
security-events: write
contents: write
id-token: write
attestations: writeNote
This workflow uses the following GitHub Actions:
- actions/checkout
- actions/setup-python
- anchore/sbom-action
- actions/attest-build-provenance
- anchore/scan-action
- actions/upload-artifact
- github/codeql-action/upload-sarif
See the Workflow file for the currently used versions of each GitHub Action.
Tip
See the Workflow file for implementation details.
| Input variable | Necessity | Description | Default |
|---|---|---|---|
pre-install-python-packages |
optional | Pre-install the specified Python packages before creating the SBOM (this string will be directly passed to pip install). |
'' |
name: Create & Scan SBOM
on:
push:
branches: [main]
pull_request:
branches: [main]
release:
types: [published]
jobs:
sbom-scan:
uses: tektronix/python-package-ci-cd/.github/workflows/_reusable-sbom-scan.yml@v1.9.2
permissions:
security-events: write
contents: write
id-token: write
attestations: write