You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/security/SBOM.md
+16-2Lines changed: 16 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -71,8 +71,20 @@ It outputs the SBOM in the following format:
71
71
72
72
## Vulnerability Scanning
73
73
74
-
To scan for any vulnerable libraries, submit the SBOM to a vulnerability scanner.
75
-
For example, the popular [Anchore software supply chain management platform](https://anchore.com/) makes the `grype` scanner freely available.
74
+
To scan for vulnerable libraries, use either the [GraalVM GitHub Action](https://github.com/marketplace/actions/github-action-for-graalvm) for automated scanning, or submit the SBOM to a vulnerability scanner directly.
75
+
76
+
### GitHub Integration
77
+
78
+
When using the [GraalVM GitHub Action](https://github.com/marketplace/actions/github-action-for-graalvm), the SBOM can be automatically generated and submitted to GitHub's dependency submission API for continuous scanning.
79
+
This enables:
80
+
- Vulnerability tracking with GitHub's Dependabot.
81
+
- Dependency tracking with GitHub's Dependency Graph.
82
+
83
+
If you use GitHub, this integration offers you the simplest setup and powerful security tooling.
84
+
85
+
### Command-Line Scanning
86
+
87
+
The popular [Anchore software supply chain management platform](https://anchore.com/) makes the `grype` scanner available for free.
76
88
You can check whether the libraries given in your SBOMs have known vulnerabilities documented in Anchore's database.
77
89
For this purpose, the output of the tool can be fed directly to the `grype` scanner to check for vulnerable libraries, using the command `$JAVA_HOME/bin/native-image-inspect --sbom <path_to_binary> | grype` which produces the following output:
78
90
```shell
@@ -91,6 +103,8 @@ This dependency information is derived from Native Image's static analysis call
91
103
Analyzing the dependency graph can help you understand why specific components are included in your application.
92
104
For example, discovering an unexpected component in the SBOM allows for tracing its inclusion through the dependency graph to identify which parts of the application are using it.
93
105
106
+
With the GraalVM GitHub Action, you get access to GitHub's Dependency Graph feature.
107
+
94
108
## Enhanced SBOMs with Maven Plugin for Native Image
95
109
96
110
To generate more accurate SBOMs with richer component metadata, consider using the [Maven plugin for GraalVM Native Image](https://graalvm.github.io/native-build-tools/latest/maven-plugin.html).
0 commit comments