mbiuki
commented
3 months ago TODO
Create GitHub Actions Workflow: Set up a GitHub Actions workflow to run on every push to the main branch and on every release. The workflow should trigger SBOM generation tools compatible with SPDX and CycloneDX formats.
Integrate SBOM Generation Tool: Select and integrate an SBOM generation tool that supports SPDX and CycloneDX formats (e.g., Syft, CycloneDX GitHub Action). Configure the tool to scan the codebase and generate the SBOM.
Store and Attach SBOM: Save the generated SBOM in the repository. Attach the SBOM file to the release artifacts.
Testing and Validation: Test the workflow to ensure SBOM is generated correctly. Validate the SBOM formats and ensure they meet the required standards.
Documentation: Document the setup process in the repository’s README or a separate documentation file. Create a hyperlink in the changelog. Provide instructions on how to manually trigger the SBOM generation if needed.
Parent Issue
No response
Task
We need to automate the generation of Software Bill of Materials (SBOM) using GitHub Actions. This automation should ensure that a new SBOM is generated with each new build and release. The preferred SBOM formats are SPDX and CycloneDX.
Additional Information:
Proposed Objective
Security & Privacy
Proposed Priority
Priority 2 - Important
Acceptance Criteria
External Links... Slack Conversations, Support Tickets, Figma Designs, etc.
No response
Assumptions & Initiation Needs
No response
Quality Assurance Notes & Workarounds
No response
Sub-Tasks & Estimates
No response