syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

Show dependencies for Github Actions

Open yaabdala opened this issue 1 year ago • 1 comments

Summary

I would like to submit a feature request for showing dependencies of Github Actions

Current behavior

syft has no problem finding github actions and showing them as dependencies to a project when you run syft on a git repo directory that uses Github Actions. However, the dependencies of those actions are not listed. We have to download the release archive of the github action and run syft on that to get some visibility.

Steps to reproduce

  1. Checkout a repository that uses Github Actions
  2. Run syft on the directory
  3. Observe that Github Actions are a part of the resulting SBOM, however the dependencies for those actions are not listed.

Requested behavior

Have dependencies for github actions be listed in SBOM so that vulnerable packages used by an Action can be flagged by grype

yaabdala avatar Jun 12 '24 17:06 yaabdala

Hi @yaabdala thanks for the request. Would you mind providing a link to a github action file that has dependencies that are missed, and say what dependencies we should have found?

It sounds like what you're asking for is that in a file like:

https://github.com/anchore/syft/blob/2a3d171c1014ce09dc28c87c52e8b10815b5b96f/.github/workflows/validations.yaml#L15-L26

We should have found actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0. But we find this today. Is there something else we should be finding?

willmurphyscode avatar Sep 30 '24 14:09 willmurphyscode