What would you like to be added: Support for the GitHub Actions ecosystem.

Why is this needed: GitHub Actions are one of the most widely used CI solutions and the actions used there are codes written by third-party actors and can have vulnerabilities that would affect the CI pipelines of the users.

Additional context: I checked the internet a bit but didn't find any work done around generating SBOMs from the GitHub Actions used in one's workflow.

Hey @aerabi, take a look at https://github.com/anchore/sbom-action/ -- this is our Action designed for calling Syft and generating SBOMs as part of a CI pipeline. Hope this helps!

Thanks for your comment, @tgerla! This GitHub action that you just mentioned might have vulnerabilities, as can the Docker build action, etc. Can we generate an SBOM for a GitHub workflow to include the dependencies of the actions used in them?

Oh, I'm sorry, I misunderstood your request. We actually do have a cataloger for scanning GitHub actions: #2140 -- I'm not sure if those catalogers are enabled by default so you may need to enable it specifically: https://github.com/anchore/syft/?tab=readme-ov-file#package-cataloger-selection

Awesome, thanks for mentioning the PR.

I believe that's all Syft can support the matter with. As mentioned in the issue (#1896), the Actions recorded using the cataloger won't be matched to any CVEs, as no one has a database for CVEs in GitHub Actions (right?).

Yeah, that's right. They will be cataloged in the SBOM but as far as I know there aren't any current sources of vulnerability data for them.

I'll go ahead and close this issue because I don't think there is any action to take--but please let me know if you need anything else!