Skip to content

A GitHub Action that creates a SBOM from your application so you can meet compliance and security requirements. Add this to your dev, staging and prod steps and SecureStack will make sure that what you've just deployed is secure and meets your requirements, and has the SBOM to show it!

License

Notifications You must be signed in to change notification settings

SecureStackCo/actions-sbom

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 

Repository files navigation

SecureStack SBOM

What's an SBOM?

Software bill of materials (SBOM) are supposed to provide a list of ingredients that have gone into an application. Having an SBOM allows you to know what you are getting and whether any of the ingredients have vulnerabilities. This is why they are so important and why the US government has mandated that companies use them.

An application is more than just the third party libraries you are using

Its the source code, of course, but also the cloud resources, vendor dependencies and partner APIs you call. If your application requires something to run, then it should be in the SBOM, right? And that's why the SecureStack SBOM is created holistically from all the important components of your application. This includes source code, third-party libraries and AWS cloud resources. In addition, this SBOM will include any vulnerabilities from your source code and cloud stack.

name: Example Workflow Using SecureStack SBOM Action
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - name: Create SBOM
        id: sbom
        uses: SecureStackCo/[email protected]
        with:
          securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}
          securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}
          severity: critical

NOTE - to understand possible values for the action input flags, run the SecureStack cli locally:

$ bloodhound-cli SBOM --help

Create your SecureStack API Key and save as GitHub Secret

  1. Log in to SecureStack with your GitHub credentials.
  2. Go to Settings in the lower left corner, and then select the 6th tab: API.Create API key
  3. Generate a new API key and copy the value.Copy API key
  4. Now back in GitHub, go to Settings for your GitHub repository and click on Secrets, and then Actions at the bottom left.
  5. Create a new secret named SECURESTACK_API_KEY and paste the value from step 2 into the field and click "Add secret".Create GitHub Secret for API key

Retreiving your SecureStack Application ID

  1. Log in to SecureStack.
  2. In the application drop down at the top left choose the application you want to use and click on "Copy Application ID" Copy Application ID
  3. Create a new secret named SECURESTACK_APP_ID and paste the value from step 2 into the field and click "Add secret".Create GitHub Secret for app_id

What types of components will this BoM include?

  1. All your software components including third-party libraries and frameworks
  2. The AWS native resources that this application is actually using (think Ec2, S3, RDS, Cloudfront, ELB, CloudTrail, CloudWatch, Config, GuardDuty)
  3. Any vulnerabilities in the components or services

How can I see the output of the SBOM?

  1. You can view the SBOM output right in the GitHub Action workflow outputworkflow output

  2. You can download the SBOM file with our bloodhound-cli : bloodhound-cli SBOM -d <sbom_id> -a <app_id>

  3. You can interact with the SBOM in the SecureStack SaaS platform

  4. You can download the SBOM file in the SecureStack SaaS platform

What others are saying about SecureStack SBOMs

Check our our SBOM Scorecard

Check out our other GitHub Actions:

  1. SecureStack Software Composition Analysis (SCA) - Scan your application for vulnerable third-party and open source libraries.
  2. SecureStack Secret Scanning - Scan your application for embedded api keys, credentials and senstive data.
  3. SecureStack Web Vulnerability & Cloud Misconfiguration Analysis - Scan your running application url for cloud misconfigurations and web vulnerabilities.
  4. SecureStack Log4j Analysis - Scan your application for Log4j/Log4Shell vulnerabilities.
  5. SecureStack SBOM - Create a software bill of materials (SBOM) for your application.
  6. Or, our All-in-One GitHub Action - We've put all of our actions together into one "Action to rule them ALL"!

Made with 💜 by SecureStack

About

A GitHub Action that creates a SBOM from your application so you can meet compliance and security requirements. Add this to your dev, staging and prod steps and SecureStack will make sure that what you've just deployed is secure and meets your requirements, and has the SBOM to show it!

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published