🚧 🏗️ this project is an ealy development stage 🏗️ 🚧
An ecosystem describes the tooling used to build a project. The following ecosystems bellow are supported to generate a Software Bill of Materials (SBOM).
Project is not required to use any of the tools listed below. The action will attempt to generate an SBOM using the trivy scanner for a project not requiring any of the tools listed below.
There are no pre-requisites for this ecosystem.
- gradle
Project must use gradle wrapper for the action to work.
$cyclonedxVersion = CycloneDX Gradle Releases
Add plugin to your build.gradle or build.gradle.kts file:
plugins {
id("org.cyclonedx.bom") version $cyclonedxVersion
}No further configuration is required.
For more information, see the CycloneDX Gradle Plugin project.
- maven
Project must use maven wrapper for the action to work.
- npm
There are no pre-requisites for this ecosystem.
- yarn
Not supported yet.
There are no pre-requisites for this ecosystem.
- KMS: go-kms.yaml
- cosign.key: go.yaml
- Google: go-google.yaml
- GitHub: go-github.yaml
Requires GitHub job permissions to be set.
jobs:
build:
permissions:
contents: 'read'
id-token: 'write'For more information, see action.yaml.
- Sign container image
- attest container sbom to container image
- Support for other ecosystems
- Support for other signing methods