Skip to content

bifrostsec/submit-sbom-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Submit SBOM to bifrost action

A GitHub Action that submits Software Bill of Materials (SBOM) files to the bifrost API to analyze your services for known vulnerabilities and security risks.

Prerequisites

  • A bifrost organization and service set up to receive SBOMs. See Get started for more information.
  • A valid bifrost API token. Navigate to your organization settings and create a new token under API access tokens.
  • An SBOM file generated by your build process, or dependency-graph: 'true'
  • GitHub repository with Actions enabled

Usage

Basic Example

name: build
on:
  pull_request:

jobs:
  build:
    name: Build and submit SBOM
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v6
      - name: Build code
        run: make build
      - name: Generate SBOM
        run: # execute tool that generates SBOM output to file
      - name: Send SBOM to bifrost
        uses: bifrostsec/submit-sbom-action@v1
        with:
          api-token: ${{ secrets.BIFROST_API_TOKEN }}
          service: 'my-service'
          service-version: 'v1.0.0'
          sbom-path: 'build/sbom.spdx'

Syft SBOM generation example

name: build
on:
  pull_request:

jobs:
  build:
    name: Build and submit SBOM
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v6
        
      - name: Build code
        run: make build
        
        # Generate SBOM using anchore/sbom-action (syft)
      - name: Generate SBOM
        uses: anchore/sbom-action@v0.21.1
        with:
          path: .
          format: spdx-json
          output-file: build/sbom.spdx
          
      - name: Send SBOM to bifrost
        uses: bifrostsec/submit-sbom-action@v1
        with:
          api-token: ${{ secrets.BIFROST_API_TOKEN }}
          service: 'my-service'
          service-version: 'v1.0.0'
          sbom-path: 'build/sbom.spdx'

Advanced Example with Custom Retry Configuration

      - name: Send SBOM to bifrost
        uses: bifrostsec/submit-sbom-action@v1
        with:
          api-token: ${{ secrets.BIFROST_API_TOKEN }}
          service: 'my-service'
          service-version: 'v1.0.0'
          sbom-path: 'build/sbom.spdx'
          retry-attempts: '5'
          retry-delay: '10'

Multiple SBOM Files

Provide sbom-path as a multiline value to upload multiple SBOM files in one action invocation:

      - name: Send SBOMs to bifrost
        uses: bifrostsec/submit-sbom-action@v1
        with:
          api-token: ${{ secrets.BIFROST_API_TOKEN }}
          service: 'my-service'
          service-version: 'v1.0.0'
          sbom-path: |
            build/backend.cdx.json
            build/frontend.cdx.json

GitHub Dependency Graph SBOM

Use GitHub's dependency graph export as an additional SBOM source:

      - name: Send SBOMs to bifrost
        uses: bifrostsec/submit-sbom-action@v1
        with:
          api-token: ${{ secrets.BIFROST_API_TOKEN }}
          service: 'my-service'
          service-version: 'v1.0.0'
          dependency-graph: 'true'

Note: If you want the workflow to continue even if this action fails, you can use GitHub's built-in continue-on-error setting. See the GitHub Actions workflow syntax documentation for more information.

Inputs

Input Description Required Default Notes
api-token Bearer token for Bifrost API authentication Yes - -
service Your Service name Yes - -
service-version Your Service version Yes - -
sbom-path Path to the SBOM file to submit, or a multiline list of SBOM paths No - When unset and dependency-graph is true, only the dependency graph SBOM is submitted
dependency-graph Export the GitHub dependency graph SBOM No false Uses the current repository default branch
retry-attempts Number of retry attempts for failed requests No 3 -
retry-delay Delay in seconds between retry attempts No 2 -
api-host Custom API host URL No https://portal.bifrostsec.com -

Outputs

This action does not provide explicit output values. Instead, it uses GitHub Actions' standard exit behavior:

  • On successful SBOM submission, the action completes successfully
  • On failure, the action fails and stops the workflow (unless continue-on-error is set)
  • If neither sbom-path nor dependency-graph is configured, the action warns and completes without submitting an SBOM

API Requirements

This action submits SBOMs to the Bifrost API using bifrost-cli, which calls the following endpoint:

POST https://portal.bifrostsec.com/api/v2/service/{service}/version/{version}/sbom

The request includes:

  • Authorization: Bearer {api-token} header
  • Content-Type: application/json header
  • SBOM file contents as the request body
  • Git metadata query parameters: git_branch, git_commit_sha, and git_origin

Read the bifrost API documentation for more details on authentication and request formats.

When dependency-graph: 'true' is used, the action exports the repository SBOM from GitHub's dependency graph API and submits the resulting SPDX document alongside any local SBOM files. GitHub documents this endpoint here: REST API endpoints for software bill of materials (SBOM).

The dependency graph export uses the GitHub CLI (gh) on the runner. GitHub-hosted runners include it by default. On self-hosted runners, ensure gh is installed and available on PATH.

Dependency graph export is only used for the current repository on its default branch. If the default branch head no longer matches the workflow commit, dependency graph export is skipped.

Security

Storing API Tokens

Always store your bifrost API token as a GitHub Secret:

  1. Go to your repository Settings > Secrets and variables > Actions
  2. Click "New repository secret"
  3. Name: BIFROST_API_TOKEN
  4. Value: Your bifrost API token
  5. Click "Add secret"

Never hardcode API tokens in your workflow files or commit them to your repository.

GitHub Token Permissions

When using dependency-graph: 'true', the workflow token needs permission to read repository contents for the current repository. The default ${{ github.token }} is used.

Troubleshooting

SBOM file not found

Error: Error: SBOM file does not exist at path: build/sbom.spdx

Solution: Ensure your SBOM generation step runs before this action and outputs to the correct path. Check that each path specified in sbom-path matches where your SBOMs are generated.

GitHub CLI not found

Error: GitHub CLI (gh) is required to download the Bifrost CLI

Solution: Install gh on the runner and ensure it is available on PATH. GitHub-hosted runners include gh by default, but self-hosted runners may need to install it explicitly.

Unsupported runner platform

Error: Unsupported runner platform: <os>/<arch>

Solution: Use a supported runner platform: Linux/X64, Linux/ARM64, macOS/X64, macOS/ARM64, Windows/X64, or Windows/X86.

Authentication failed (HTTP 401)

Error: Failed to submit SBOM (HTTP 401)

Solution:

  • Verify your API token is correct and not expired
  • Check that the secret is properly configured in GitHub

Invalid SBOM format

Error: Failed to submit SBOM (HTTP 400) Error Message: Unknown SBOM format: must be either 'SPDX' or 'CycloneDX'

Solution:

  • Verify your SBOM file is in a format accepted by bifrost (SPDX or CycloneDX). See documentation SBOM Formats
  • Check the SBOM file is valid JSON

Versioning

This action follows semantic versioning. When using this action, you can specify:

  • @v1 - Latest v1.x.x release (recommended for most users)
  • @v1.0.0 - Specific version for maximum stability
  • @main - Latest development version (not recommended for production)

License

This project is licensed under the MIT License - see the LICENSE file for details.

Related Projects

About

GitHub Action for sending SBOM to bifrost

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages