Skip to content

[CRAVEX] SCA Integrations: CycloneDX cdxgen #1824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 25, 2025
Merged

[CRAVEX] SCA Integrations: CycloneDX cdxgen #1824

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
436a5b4
Add GitHub workflow to generate SBOM with CycloneDX cdxgen
tdruez Aug 25, 2025
188564b
Add unit test for the CycloneDX cdxgen SBOM support
tdruez Aug 25, 2025
ab8cf9f
Add entry in the FAQ about SCA tools support
tdruez Aug 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions .github/workflows/sca-integration-cdxgen.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Generate SBOM with CycloneDX cdxgen and load into ScanCode.io

# This workflow:
# 1. Generates a CycloneDX SBOM for a container image using CycloneDX cdxgen.
# 2. Uploads the SBOM as a GitHub artifact for future inspection.
# 3. Loads the SBOM into ScanCode.io for further analysis.
# 4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
#
# It runs on demand, and once a week (scheduled).

on:
workflow_dispatch:
schedule:
# Run once a week (every 7 days) at 00:00 UTC on Sunday
- cron: "0 0 * * 0"

permissions:
contents: read

env:
IMAGE_REFERENCE: "python:3.13.0-slim"

jobs:
generate-and-load-sbom:
runs-on: ubuntu-24.04
steps:
- name: Install CycloneDX cdxgen
run: npm install @cyclonedx/cdxgen

- name: Generate SBOM with CycloneDX cdxgen
run: |
npx cdxgen ${{ env.IMAGE_REFERENCE }} \
--type docker \
--output cdxgen-sbom.cdx.json \
--spec-version 1.6 \
--json-pretty

- name: Upload SBOM as GitHub Artifact
uses: actions/upload-artifact@v4
with:
name: cdxgen-sbom
path: "cdxgen-sbom.cdx.json"
retention-days: 20

- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "cdxgen-sbom.cdx.json"

- name: Verify SBOM Analysis Results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 340; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0"
17 changes: 17 additions & 0 deletions docs/faq.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,3 +363,20 @@ The input to ScanCode is a local saved image: Docker or OCI.
Docker in Docker support will demand to have access to the saved images
(either extracted from the Docker images in Docker, or mounted in a volume or saved
from the Docker in the Docker image). Once saved we can analyze these alright.

Can I import SBOM from other SCA tools?
---------------------------------------

Yes! You can load SBOMs generated by other tools for further review and run
pipelines to enrich or validate the data directly in ScanCode.io.

While most valid SBOMs should work out of the box, SBOMs from the following tools
are actively supported and tested::

- Anchore: https://anchore.com/sbom/
- CycloneDX cdxgen: https://cyclonedx.github.io/cdxgen/
- Trivy: https://trivy.dev/latest/

.. note:: Imported SBOMs must follow the SPDX or CycloneDX standards, in JSON format.
You can use the ``load-sbom`` pipeline to process and enhance these SBOMs in your
ScanCode.io projects.
Loading