I would like to submit a feature request for showing dependencies of Github Actions
Current behavior
syft has no problem finding github actions and showing them as dependencies to a project when you run syft on a git repo directory that uses Github Actions. However, the dependencies of those actions are not listed. We have to download the release archive of the github action and run syft on that to get some visibility.
Steps to reproduce
Checkout a repository that uses Github Actions
Run syft on the directory
Observe that Github Actions are a part of the resulting SBOM, however the dependencies for those actions are not listed.
Requested behavior
Have dependencies for github actions be listed in SBOM so that vulnerable packages used by an Action can be flagged by grype
Summary
I would like to submit a feature request for showing dependencies of Github Actions
Current behavior
syft has no problem finding github actions and showing them as dependencies to a project when you run syft on a git repo directory that uses Github Actions. However, the dependencies of those actions are not listed. We have to download the release archive of the github action and run
syfton that to get some visibility.Steps to reproduce
syfton the directoryRequested behavior
Have dependencies for github actions be listed in SBOM so that vulnerable packages used by an Action can be flagged by
grype