Merge pull request #10 from anjalitrace2-nhs/SBOM-scan-for-non-docker-repos

daisytimms2-nhs · web-flow · commit 3456c1657a37 · 2026-01-23T15:48:04.000Z
Adds the option to run the SBOM action providing a path to the repo rather than a docker image.

- Both inputs are optional but the job will fail if neither are provided
- Updated readme with new input info
- Added a job to the test workflow which checks SBOM generation works for both local &amp; remote repos
diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
@@ -68,8 +68,8 @@ jobs:
           
           echo "All IaC scan assertions passed"
 
-  test-sbom-scan:
-    name: Test SBOM Scan Action
+  test-sbom-scan-docker-mode:
+    name: Test SBOM Scan Action - Docker Image
     runs-on: ubuntu-latest
     
     steps:
@@ -82,7 +82,6 @@ jobs:
         with:
           image-ref: 'alpine:3.18'
           publish-to-dependency-graph: 'false'
-      
       - name: Verify SBOM output with assertions
         run: |
           echo "SBOM path: ${{ steps.sbom-scan.outputs.sbom-path }}"
@@ -132,6 +131,123 @@ jobs:
           
           echo "All SBOM scan assertions passed"
 
+  test-sbom-scan-repo-mode:
+    name: Test SBOM Scan Action - Git Repo
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Test SBOM Scan with this local repo
+        id: sbom-scan-local
+        uses: ./sbom-scan
+        with:
+          repo-path: "./"
+          publish-to-dependency-graph: "false"
+          artifact-name: "sbom-local-repo"
+      - name: Verify SBOM output with assertions
+        run: |
+          echo "SBOM path: ${{ steps.sbom-scan-local.outputs.sbom-path }}"
+          
+          if [[ -z "${{ steps.sbom-scan-local.outputs.sbom-path }}" ]]; then
+            echo "SBOM path output is empty"
+            exit 1
+          fi
+          
+          if [[ ! -f "${{ steps.sbom-scan-local.outputs.sbom-path }}" ]]; then
+            echo "SBOM file not found: ${{ steps.sbom-scan-local.outputs.sbom-path }}"
+            exit 1
+          fi
+          
+          if [[ ! -s "${{ steps.sbom-scan-local.outputs.sbom-path }}" ]]; then
+            echo "SBOM file is empty"
+            exit 1
+          fi
+          
+          if ! jq empty "${{ steps.sbom-scan-local.outputs.sbom-path }}" 2>/dev/null; then
+            echo "SBOM is not valid JSON"
+            exit 1
+          fi
+          
+          if ! jq -e '.spdxVersion' "${{ steps.sbom-scan-local.outputs.sbom-path }}" >/dev/null; then
+            echo "SBOM missing spdxVersion field"
+            exit 1
+          fi
+          
+          if ! jq -e '.name' "${{ steps.sbom-scan-local.outputs.sbom-path }}" >/dev/null; then
+            echo "SBOM missing name field"
+            exit 1
+          fi
+          
+          if ! jq -e '.creationInfo' "${{ steps.sbom-scan-local.outputs.sbom-path }}" >/dev/null; then
+            echo "SBOM missing creationInfo field"
+            exit 1
+          fi
+          
+          if ! jq -e '.packages' "${{ steps.sbom-scan-local.outputs.sbom-path }}" >/dev/null; then
+            echo "SBOM missing packages array"
+            exit 1
+          fi
+          
+          file_size=$(wc -c < "${{ steps.sbom-scan-local.outputs.sbom-path }}")
+          echo "SBOM file size: ${file_size} bytes"
+          
+          echo "All SBOM scan assertions passed"
+      - name: Test SBOM Scan with public remote repo
+        id: sbom-scan-remote
+        uses: ./sbom-scan
+        with:
+          repo-path: "https://github.com/PokeAPI/pokeapi"
+          publish-to-dependency-graph: "false"
+          artifact-name: "sbom-remote-repo"
+      - name: Verify SBOM output with assertions
+        run: |
+          echo "SBOM path: ${{ steps.sbom-scan-remote.outputs.sbom-path }}"
+          
+          if [[ -z "${{ steps.sbom-scan-remote.outputs.sbom-path }}" ]]; then
+            echo "SBOM path output is empty"
+            exit 1
+          fi
+          
+          if [[ ! -f "${{ steps.sbom-scan-remote.outputs.sbom-path }}" ]]; then
+            echo "SBOM file not found: ${{ steps.sbom-scan-remote.outputs.sbom-path }}"
+            exit 1
+          fi
+          
+          if [[ ! -s "${{ steps.sbom-scan-remote.outputs.sbom-path }}" ]]; then
+            echo "SBOM file is empty"
+            exit 1
+          fi
+          
+          if ! jq empty "${{ steps.sbom-scan-remote.outputs.sbom-path }}" 2>/dev/null; then
+            echo "SBOM is not valid JSON"
+            exit 1
+          fi
+          
+          if ! jq -e '.spdxVersion' "${{ steps.sbom-scan-remote.outputs.sbom-path }}" >/dev/null; then
+            echo "SBOM missing spdxVersion field"
+            exit 1
+          fi
+          
+          if ! jq -e '.name' "${{ steps.sbom-scan-remote.outputs.sbom-path }}" >/dev/null; then
+            echo "SBOM missing name field"
+            exit 1
+          fi
+          
+          if ! jq -e '.creationInfo' "${{ steps.sbom-scan-remote.outputs.sbom-path }}" >/dev/null; then
+            echo "SBOM missing creationInfo field"
+            exit 1
+          fi
+          
+          if ! jq -e '.packages' "${{ steps.sbom-scan-remote.outputs.sbom-path }}" >/dev/null; then
+            echo "SBOM missing packages array"
+            exit 1
+          fi
+          
+          file_size=$(wc -c < "${{ steps.sbom-scan-remote.outputs.sbom-path }}")
+          echo "SBOM file size: ${file_size} bytes"
+          
+          echo "All SBOM scan assertions passed"
+
   test-multiple-scenarios:
     name: Test Multiple Scenarios
     runs-on: ubuntu-latest
diff --git a/README.md b/README.md
@@ -69,24 +69,26 @@ Performs Software Bill of Materials (SBOM) scanning and reporting with optional
 - name: Generate SBOM
   uses: nhs-england-tools/trivy-action/sbom-scan@v1.1.0
   with:
-    image-ref: 'myapp:latest'
-    publish-to-dependency-graph: 'true'
+    image-ref: "myapp:latest" # scan your docker image, or
+    repo-path: "."            # scan your git repo
+    publish-to-dependency-graph: "true"
     github-token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 #### Inputs
 
-| Input | Description | Required | Default |
-|-------|-------------|----------|---------|
-| `image-ref` | Docker image reference to scan | Yes | - |
-| `github-token` | GitHub token for dependency graph upload | No | - |
-| `publish-to-dependency-graph` | Publish SBOM to GitHub Dependency Graph | No | `false` |
-| `artifact-name` | Name for the uploaded SBOM artifact | No | `sbom` |
+| Input                         | Description                                | Required                                   | Default |
+| ----------------------------- | ------------------------------------------ | ------------------------------------------ | ------- |
+| `image-ref`                   | Docker image reference to scan             | Must provide either image-ref or repo-path | -       |
+| `repo-path`                   | Path to git repo to scan (local or remote) | Must provide either image-ref or repo-path | -       |
+| `github-token`                | GitHub token for dependency graph upload   | No                                         | -       |
+| `publish-to-dependency-graph` | Publish SBOM to GitHub Dependency Graph    | No                                         | `false` |
+| `artifact-name`               | Name for the uploaded SBOM artifact        | No                                         | `sbom`  |
 
 #### Outputs
 
-| Output | Description |
-|--------|-------------|
+| Output      | Description                     |
+| ----------- | ------------------------------- |
 | `sbom-path` | Path to the generated SBOM file |
 
 ### 🔍 Image Scan
diff --git a/sbom-scan/action.yml b/sbom-scan/action.yml
@@ -4,7 +4,10 @@ description: Performs SBOM scanning and reporting with optional dependency graph
 inputs:
   image-ref:
     description: 'Docker image reference to scan'
-    required: true
+    required: false
+  repo-path:
+    description: "Path to git repo to scan (local or remote)"
+    required: false
   github-token:
     description: 'GitHub token for dependency graph upload'
     required: false
@@ -25,14 +28,40 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: Trivy SBOM SPDX Scan
+    - name: Validate inputs
+      shell: bash
+      env:
+        IMAGE_REF: ${{ inputs.image-ref }}
+        REPO_PATH: ${{ inputs.repo-path }}
+      run: |
+        echo "IMAGE_REF:" $IMAGE_REF
+        echo "REPO_PATH:" $REPO_PATH
+        if [[ -z $IMAGE_REF && -z $REPO_PATH ]]; then
+          echo "Must define one of IMAGE_REF or REPO_PATH"
+          exit 1
+        elif [[ -n $IMAGE_REF && -n $REPO_PATH ]]; then
+          echo "Must define only one of IMAGE_REF or REPO_PATH, not both."
+          exit 1
+        fi
+
+    - name: Trivy SBOM SPDX Scan - Docker Image
+      if: ${{ inputs.image-ref != '' }}
       uses: aquasecurity/trivy-action@0.20.0
       with:
         scan-type: image
         image-ref: ${{ inputs.image-ref }}
         format: spdx-json
         output: sbom.spdx.json
 
+    - name: Trivy SBOM SPDX Scan - Repo
+      if: ${{ inputs.repo-path != '' }}
+      uses: aquasecurity/trivy-action@0.20.0
+      with:
+        scan-type: repo
+        scan-ref: ${{ inputs.repo-path }}
+        format: spdx-json
+        output: sbom.spdx.json
+
     - name: Trivy SBOM Dependency Graph Upload
       if: ${{ inputs.publish-to-dependency-graph == 'true' && inputs.github-token != '' }}
       uses: aquasecurity/trivy-action@0.20.0
@@ -83,4 +112,4 @@ runs:
         end
         JQ
 
-        jq -r -f sbom_to_summary.jq sbom.spdx.json >> "$GITHUB_STEP_SUMMARY"
+        jq -r -f sbom_to_summary.jq sbom.spdx.json >> "$GITHUB_STEP_SUMMARY"
