/blackduck-report-action

GitHub action to produce a SBOM report from a given Black Duck project

Primary LanguageTypeScriptMIT LicenseMIT

Create Black Duck Report Action

Overview

This action provides support for creating Black Duck reports. Currently, it supports the following types:

  • Software Bill of Materials (SBOM)
  • License Reports

Software Bill of Materials (SBOM) reports can be generated in the following formats:

  • SPDX v2.2
  • SPDX v2.3
  • CycloneDX v1.3
  • CycloneDX v1.4

License reports can be generated in the following formats:

  • JSON
  • TEXT

Changelog

All notable changes to this project are documented in CHANGELOG.md.

Usage

Example

on:
  push:
    tags:
      - '*'

jobs:
  create-report:
    name: Create Black Duck report 
    runs-on: ubuntu-latest
    steps:
      - name: Create Black Duck report
        uses: tvcsantos/blackduck-report-action@v2
        with:
          blackduck-url: ${{ vars.BLACKDUCK_URL }}
          blackduck-token: ${{ secrets.BLACKDUCK_API_TOKEN }}

In the example above we are using the action to create a Black Duck report for the current repository on push to any tag. First we checkout our code, then we run this action.

⚠️ Note that this action requires at least the following parameters to work:

  • blackduck-url - Black Duck instance URL.
  • blackduck-token - Authentication token for a user, to scan your project.

⚠️ Note that blackduck-token should be kept as secret and not exposed in plain text in your action. Also, we can benefit from variables to avoid having blackduck-url in plain text and promote re-usability of the above workflow in our pipelines later.

In the example above blackduck-token is provided via the secret BLACKDUCK_API_TOKEN, that must be defined either in your project repository or shared at organization level. With respect to blackduck-url it is provided via the variable BLACKDUCK_URL that must be defined either in your repository variables or shared at organization level.

For more details on the values for these secrets and variables please check Inputs section.

Inputs

Input Type Required Default Value Description
blackduck-url String Yes - Black Duck instance URL.
blackduck-token String Yes - Black Duck API token.
output-directory String No ./blackduck-report Path to the directory where the report will be saved.
project-name String No ${{ github.repository }} Project name in Black Duck.
project-version String No ${{ github.ref_name }} Project version in Black Duck.
report-format String No JSON Report format depending on report-type. The following values are supported:
  • SPDX_22 report: JSON, YAML, RDF or TAG_VALUE.
  • SPDX_23 report: JSON, YAML, RDF or TAG_VALUE.
  • CYCLONE_DX_13 report: JSON.
  • CYCLONE_DX_14 report: JSON.
report-type String No SPDX_23 Report type. The following values are supported:
  • SPDX_22. Generate a SBOM SPDX v2.2 report.
  • SPDX_23. Generate a SBOM SPDX v2.3 report.
  • CYCLONE_DX_13. Generate a SBOM CycloneDX v1.3 report.
  • CYCLONE_DX_14. Generate a SBOM CycloneDX v1.4 report.

Outputs

Output Type Description
report-file-path String Path to the generated report file.

License

This project is released under MIT License.

Contributions

Contributions are welcome! See Contributor's Guide.