Add support for GitHub Actions
aerabi opened this issue · comments
What would you like to be added: Support for the GitHub Actions ecosystem.
Why is this needed: GitHub Actions are one of the most widely used CI solutions and the actions used there are codes written by third-party actors and can have vulnerabilities that would affect the CI pipelines of the users.
Additional context: I checked the internet a bit but didn't find any work done around generating SBOMs from the GitHub Actions used in one's workflow.
Hey @aerabi, take a look at https://github.com/anchore/sbom-action/ -- this is our Action designed for calling Syft and generating SBOMs as part of a CI pipeline. Hope this helps!
Thanks for your comment, @tgerla! This GitHub action that you just mentioned might have vulnerabilities, as can the Docker build action, etc. Can we generate an SBOM for a GitHub workflow to include the dependencies of the actions used in them?
Oh, I'm sorry, I misunderstood your request. We actually do have a cataloger for scanning GitHub actions: #2140 -- I'm not sure if those catalogers are enabled by default so you may need to enable it specifically: https://github.com/anchore/syft/?tab=readme-ov-file#package-cataloger-selection
Awesome, thanks for mentioning the PR.
I believe that's all Syft can support the matter with. As mentioned in the issue (#1896), the Actions recorded using the cataloger won't be matched to any CVEs, as no one has a database for CVEs in GitHub Actions (right?).
Yeah, that's right. They will be cataloged in the SBOM but as far as I know there aren't any current sources of vulnerability data for them.
I'll go ahead and close this issue because I don't think there is any action to take--but please let me know if you need anything else!