Software bill of materials (SBOM) are supposed to provide a list of ingredients that have gone into an application. Having an SBOM allows you to know what you are getting and whether any of the ingredients have vulnerabilities. This is why they are so important and why the US government has mandated that companies use them.
Its the source code, of course, but also the cloud resources, vendor dependencies and partner APIs you call. If your application requires something to run, then it should be in the SBOM, right? And that's why the SecureStack SBOM is created holistically from all the important components of your application. This includes source code, third-party libraries and AWS cloud resources. In addition, this SBOM will include any vulnerabilities from your source code and cloud stack.
name: Example Workflow Using SecureStack SBOM Action
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Create SBOM
id: sbom
uses: SecureStackCo/[email protected]
with:
securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}
securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}
severity: critical
NOTE - to understand possible values for the action input flags
, run the SecureStack cli locally:
$ bloodhound-cli SBOM --help
- Log in to SecureStack with your GitHub credentials.
- Go to Settings in the lower left corner, and then select the 6th tab: API.
- Generate a new API key and copy the value.
- Now back in GitHub, go to Settings for your GitHub repository and click on Secrets, and then Actions at the bottom left.
- Create a new secret named SECURESTACK_API_KEY and paste the value from step 2 into the field and click "Add secret".
- Log in to SecureStack.
- In the application drop down at the top left choose the application you want to use and click on "Copy Application ID"
- Create a new secret named SECURESTACK_APP_ID and paste the value from step 2 into the field and click "Add secret".
- All your software components including third-party libraries and frameworks
- The AWS native resources that this application is actually using (think Ec2, S3, RDS, Cloudfront, ELB, CloudTrail, CloudWatch, Config, GuardDuty)
- Any vulnerabilities in the components or services
-
You can view the SBOM output right in the GitHub Action workflow output
-
You can download the SBOM file with our bloodhound-cli :
bloodhound-cli SBOM -d <sbom_id> -a <app_id>
Check our our SBOM Scorecard
- SecureStack Software Composition Analysis (SCA) - Scan your application for vulnerable third-party and open source libraries.
- SecureStack Secret Scanning - Scan your application for embedded api keys, credentials and senstive data.
- SecureStack Web Vulnerability & Cloud Misconfiguration Analysis - Scan your running application url for cloud misconfigurations and web vulnerabilities.
- SecureStack Log4j Analysis - Scan your application for Log4j/Log4Shell vulnerabilities.
- SecureStack SBOM - Create a software bill of materials (SBOM) for your application.
- Or, our All-in-One GitHub Action - We've put all of our actions together into one "Action to rule them ALL"!
Made with 💜 by SecureStack