GitHub action to generate a CycloneDX SBOM for Node.js

This GitHub action will create a a valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies. CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.

This GitHub action requires a node_modules directory so this action will typically need to run after an npm build.

Inputs

path

The path to a Node.js project, default is "./"

Be sure to quote paths with spaces.

output

Output filename, default is "./bom.xml"

Be sure to quote paths with spaces.

Example simple usage

uses: CycloneDX/gh-node-module-generatebom@v1

Example step that defines the output and path (both are optional)

- name: Create SBOM step
  uses: CycloneDX/gh-node-module-generatebom@v1
  with:
    path: './node_project/'
    output: './bom_directory/test.app.bom.xml'

Complete Action with npm build and SBOM creation

name: Build javascript project
on: push
jobs:
  build:
    runs-on: ubuntu-latest
    name: Install and build javascript
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16'
      - run: npm install
      - name: Create SBOM with CycloneDX
        uses: CycloneDX/gh-node-module-generatebom@v1
        with: 
          output: './test.app.bom.xml'

Internals

This action uses @cyclonedx/bom@<4. See @cyclonedx/bom in NPMjs.