feat(sbom): scope catalogers + add optional GitHub Actions scan#30
Merged
Conversation
- Image scan: drop github-actions catalogers (removes transitive `uses:` refs scraped from upstream packages' bundled .github/workflows/*). - Dir scan (Invoke-SyftDirScan): accept a Catalogers override; lockfile scans pin to javascript-lock-cataloger so they don't walk node_modules, .github, or dist. - Node lang: detect pnpm-lock.yaml in addition to bun.lock and route to the same lockfile-only path. Warn when bun.lock is detected because syft v1.x can't parse it. - New input ScanGithubActionsPath / scan-github-actions-path / scanGithubActionsPath: optional, opt-in scan of the consumer's own workflows folder restricted to the github-actions catalogers. Merged into the final BOM.
…s deploy tree When Invoke-NodeScan's AppManifestPath has no recognised lockfile (bun.lock / pnpm-lock.yaml / package-lock.json / yarn.lock) but does have a node_modules directory, route to syft with javascript-package-cataloger. That reads each node_modules/<pkg>/ package.json so the BOM reflects exactly what's installed. Pairs naturally with `pnpm deploy --prod <target>`, which writes the prod-only tree (no lockfile in the target) and is the right input for an in-image SBOM that mirrors what ships to production.
cyclonedx-cli's merge output only reports the first input's component count and the merged total, so per-input regressions (e.g. an empty github-actions BOM) hide in plain sight. Log each input's count ourselves before invoking the merge.
…ns cataloger syft's `github-actions-usage-cataloger` and `github-action-workflow-usage-cataloger` only match files whose path contains `.github/workflows/`. When the script mounted the consumer's workflows directory at `/work` directly, the in-container files looked like `/work/ci.yml` and the catalogers silently produced a 0-component BOM. Mount the source at `/work/.github/workflows` instead and scan `dir:/work` so the heuristic fires. Verified locally: a flat-dir scan returns 0 components; nesting under .github/workflows/ returns the expected 22 against hoobi-portfolio's CI workflows.
…uplicate component When CycloneDX output is selected, syft auto-adds the `file` tag to the default cataloger selection. The file-content/-digest/-metadata catalogers then emit a `type: file` component for each node_modules/<pkg>/package.json next to the proper `pkg:npm/<pkg>@<ver>` library entry from the package cataloger. Visible duplicate in the consumer's UI (zod@4.4.3 listed twice). Pass `--select-catalogers -file` (additive negative on top of `--override-default-catalogers`) on both the image scan and the directory scan to drop the file tag entirely. Image scan also already strips github-actions-usage-cataloger and github-action-workflow-usage-cataloger to keep transitive workflow refs out.
hoobio
pushed a commit
that referenced
this pull request
May 23, 2026
Auto-generated by [release-please](https://github.com/googleapis/release-please). --- ## [2.3.0](v2.2.1...v2.3.0) (2026-05-23) ### Features * **sbom:** scope catalogers + add optional GitHub Actions scan ([#30](#30)) ([7fa1923](7fa1923)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please-hoobi[bot] <279189756+release-please-hoobi[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
uses:refs scraped from upstream packages' bundled.github/workflows/*.yml(e.g.node_modules/@fastify/*) stop leaking into the container BOM.Invoke-SyftDirScanaccepts a catalogers override; the bun/pnpm lockfile path pins tojavascript-lock-catalogerso the scan reads just the lockfile and doesn't walknode_modules,.github, ordist.ScanGithubActionsPath/scan-github-actions-path/scanGithubActionsPathinput: scans the consumer's own workflows directory with only the github-actions catalogers and merges the result. The image scan no longer covers this, so consumers wanting GitHub Actions in their BOM must set this input explicitly.Test plan
scripts/.github/workflowswith the two github-actions catalogers returns just the actions referenced from our workflows (validated against hoobi-portfolio)javascript-lock-catalogerreads a syntheticpnpm-lock.yaml