bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools. It focuses on supporting more complex SBOM operations on multiple SBOM files that represent systems by being opinionated on only supporting the NTIA minimum fields or other fields supported by protobom.
Note
bomctl is an experimental project under active development. We'd love feedback on the concept, scope, and architecture!
This action installs bomctl and optionally:
- runs one or more
bomctlcommands - exports the resulting SQLite database content as either a SQL script or JSON data
For a quick start guide on the usage of bomctl, please refer to https://github.com/bomctl/bomctl-playground.
For available bomctl releases, see https://github.com/bomctl/bomctl/releases.
This action currently supports GitHub-hosted Linux, macOS and Windows runners (self-hosted runners may not work).
Basic Example
jobs:
bomctl:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ^1.23.0
check-latest: true
cache: false
- name: Run fetch command
uses: bomctl/[email protected]
with:
bomctl-version: main
command: fetch
args: --verbose
https://github.com/bomctl/bomctl/releases/download/v0.4.1/bomctl_0.4.1_darwin_arm64.tar.gz.cdx.json
https://github.com/bomctl/bomctl/releases/download/v0.4.0/bomctl_0.4.0_linux_amd64.tar.gz.spdx.json
- name: Run list command and export database content
uses: bomctl/[email protected]
with:
bomctl-version: main
command: list
export-json: true
export-sql: trueThe version of bomctl to install. Can be a tagged release, commit SHA, branch name, or "latest".
A step using the actions/setup-go action must be executed before this action when specifying a
branch name or commit SHA.
Example
uses: bomctl/[email protected]
with:
bomctl-version: v0.4.1
# ...Path of bomctl install directory (will be created if it doesn't exist). Defaults to $HOME/.bomctl.
Example
uses: bomctl/[email protected]
with:
install-dir: ./.bin
# ...Name of the command to run. See the documentation for supported commands.
Example
uses: bomctl/[email protected]
with:
command: fetch
# ...Arguments that will be passed to the specified command. Defaults to "".
Example
uses: bomctl/[email protected]
with:
command: fetch
args: --verbose
https://github.com/bomctl/bomctl/releases/download/v0.4.1/bomctl_0.4.1_darwin_arm64.tar.gz.cdx.json
https://github.com/bomctl/bomctl/releases/download/v0.4.0/bomctl_0.4.0_linux_amd64.tar.gz.spdx.json
# ...Directory in which to create the SQLite bomctl.db file. Defaults to ..
Example
uses: bomctl/[email protected]
with:
database-dir: ${{ github.workspace }}
# ...Export contents of database after bomctl commands are run. The contents will be written to
bomctl-export.json. Defaults to false.
Example
uses: bomctl/[email protected]
with:
export-json: true
# ...Export contents of database after bomctl commands are run. The contents will be written to
bomctl-export.sql, a script that can be used to recreate the database. Defaults to false.
Example
uses: bomctl/[email protected]
with:
export-sql: true
# ...| Output | Description |
|---|---|
bomctl-version |
Resolved version of bomctl install if latest was provided. |
Copyright © bomctl a Series of LF Projects, LLC For web site terms of use, trademark policy and other project policies please see https://lfprojects.org.