Generating and using SBOMs

An SBOM (see https://www.cisa.gov/sbom) declares the nested inventory of components that make up the software. The United States government is required to obtain an SBOM for any product they purchase by the Cyber Supply Chain Management and Transparency Act of 2014.

You can manually export an SBOM in GitHub under Insights | Dependency graph | Export SBOM (see Figure 6.19):

Figure 6.19 – Manually exporting an SBOM in a repository

The SBOM is a JSON file following the Software Package Data Exchange (SPDX) standard.

In this recipe, we will automate the process of generating an SBOM from the current dependencies of the repository and attach it to the release as an additional attachment.

Getting ready

Switch to a new branch:

$ git switch -c upload-sbom

How to do it…

1. Edit the .github/workflows/release.yml file. Modify the permission for the publish job to allow write access to permissions:

   jobs...