A GitHub Action that submits Software Bill of Materials (SBOM) files to the bifrost API to analyze your services for known vulnerabilities and security risks.
- A bifrost organization and service set up to receive SBOMs. See Get started for more information.
- A valid bifrost API token. Navigate to your organization settings and create a new token under API access tokens.
- An SBOM file generated by your build process, or
dependency-graph: 'true' - GitHub repository with Actions enabled
name: build
on:
pull_request:
jobs:
build:
name: Build and submit SBOM
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v6
- name: Build code
run: make build
- name: Generate SBOM
run: # execute tool that generates SBOM output to file
- name: Send SBOM to bifrost
uses: bifrostsec/submit-sbom-action@v1
with:
api-token: ${{ secrets.BIFROST_API_TOKEN }}
service: 'my-service'
service-version: 'v1.0.0'
sbom-path: 'build/sbom.spdx'name: build
on:
pull_request:
jobs:
build:
name: Build and submit SBOM
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v6
- name: Build code
run: make build
# Generate SBOM using anchore/sbom-action (syft)
- name: Generate SBOM
uses: anchore/sbom-action@v0.21.1
with:
path: .
format: spdx-json
output-file: build/sbom.spdx
- name: Send SBOM to bifrost
uses: bifrostsec/submit-sbom-action@v1
with:
api-token: ${{ secrets.BIFROST_API_TOKEN }}
service: 'my-service'
service-version: 'v1.0.0'
sbom-path: 'build/sbom.spdx' - name: Send SBOM to bifrost
uses: bifrostsec/submit-sbom-action@v1
with:
api-token: ${{ secrets.BIFROST_API_TOKEN }}
service: 'my-service'
service-version: 'v1.0.0'
sbom-path: 'build/sbom.spdx'
retry-attempts: '5'
retry-delay: '10'Provide sbom-path as a multiline value to upload multiple SBOM files in one action invocation:
- name: Send SBOMs to bifrost
uses: bifrostsec/submit-sbom-action@v1
with:
api-token: ${{ secrets.BIFROST_API_TOKEN }}
service: 'my-service'
service-version: 'v1.0.0'
sbom-path: |
build/backend.cdx.json
build/frontend.cdx.jsonUse GitHub's dependency graph export as an additional SBOM source:
- name: Send SBOMs to bifrost
uses: bifrostsec/submit-sbom-action@v1
with:
api-token: ${{ secrets.BIFROST_API_TOKEN }}
service: 'my-service'
service-version: 'v1.0.0'
dependency-graph: 'true'Note: If you want the workflow to continue even if this action fails, you can use GitHub's built-in continue-on-error setting. See the GitHub Actions workflow syntax documentation for more information.
| Input | Description | Required | Default | Notes |
|---|---|---|---|---|
api-token |
Bearer token for Bifrost API authentication | Yes | - | - |
service |
Your Service name | Yes | - | - |
service-version |
Your Service version | Yes | - | - |
sbom-path |
Path to the SBOM file to submit, or a multiline list of SBOM paths | No | - | When unset and dependency-graph is true, only the dependency graph SBOM is submitted |
dependency-graph |
Export the GitHub dependency graph SBOM | No | false |
Uses the current repository default branch |
retry-attempts |
Number of retry attempts for failed requests | No | 3 |
- |
retry-delay |
Delay in seconds between retry attempts | No | 2 |
- |
api-host |
Custom API host URL | No | https://portal.bifrostsec.com |
- |
This action does not provide explicit output values. Instead, it uses GitHub Actions' standard exit behavior:
- On successful SBOM submission, the action completes successfully
- On failure, the action fails and stops the workflow (unless
continue-on-erroris set) - If neither
sbom-pathnordependency-graphis configured, the action warns and completes without submitting an SBOM
This action submits SBOMs to the Bifrost API using bifrost-cli, which calls the following endpoint:
POST https://portal.bifrostsec.com/api/v2/service/{service}/version/{version}/sbom
The request includes:
Authorization: Bearer {api-token}headerContent-Type: application/jsonheader- SBOM file contents as the request body
- Git metadata query parameters:
git_branch,git_commit_sha, andgit_origin
Read the bifrost API documentation for more details on authentication and request formats.
When dependency-graph: 'true' is used, the action exports the repository SBOM from GitHub's dependency graph API and submits the resulting SPDX document alongside any local SBOM files. GitHub documents this endpoint here: REST API endpoints for software bill of materials (SBOM).
The dependency graph export uses the GitHub CLI (gh) on the runner. GitHub-hosted runners include it by default. On self-hosted runners, ensure gh is installed and available on PATH.
Dependency graph export is only used for the current repository on its default branch. If the default branch head no longer matches the workflow commit, dependency graph export is skipped.
Always store your bifrost API token as a GitHub Secret:
- Go to your repository Settings > Secrets and variables > Actions
- Click "New repository secret"
- Name:
BIFROST_API_TOKEN - Value: Your bifrost API token
- Click "Add secret"
Never hardcode API tokens in your workflow files or commit them to your repository.
When using dependency-graph: 'true', the workflow token needs permission to read repository contents for the current repository. The default ${{ github.token }} is used.
Error: Error: SBOM file does not exist at path: build/sbom.spdx
Solution: Ensure your SBOM generation step runs before this action and outputs to the correct path. Check that each path specified in sbom-path matches where your SBOMs are generated.
Error: GitHub CLI (gh) is required to download the Bifrost CLI
Solution: Install gh on the runner and ensure it is available on PATH. GitHub-hosted runners include gh by default, but self-hosted runners may need to install it explicitly.
Error: Unsupported runner platform: <os>/<arch>
Solution: Use a supported runner platform: Linux/X64, Linux/ARM64, macOS/X64, macOS/ARM64, Windows/X64, or Windows/X86.
Error: Failed to submit SBOM (HTTP 401)
Solution:
- Verify your API token is correct and not expired
- Check that the secret is properly configured in GitHub
Error: Failed to submit SBOM (HTTP 400)
Error Message: Unknown SBOM format: must be either 'SPDX' or 'CycloneDX'
Solution:
- Verify your SBOM file is in a format accepted by bifrost (SPDX or CycloneDX). See documentation SBOM Formats
- Check the SBOM file is valid JSON
This action follows semantic versioning. When using this action, you can specify:
@v1- Latest v1.x.x release (recommended for most users)@v1.0.0- Specific version for maximum stability@main- Latest development version (not recommended for production)
This project is licensed under the MIT License - see the LICENSE file for details.
- Anchore SBOM Action - Generate SBOMs
- Syft - CLI tool for generating SBOMs
- CycloneDX - SBOM standard
- SPDX - SBOM standard