This action assumes that you have an existing Dependency Track project and a CycloneDX SBOM. Using these pre-requisites it does multiple steps:
- Upload the SBOM to the specified project
- Analyze the project for vulnerabilities and policy violations
- Get metric information and offers them for later steps of the pipeline
- Download the CycloneDX SBOM from Dependency Track, now with vulnerability information and the additional licenses attached.
This action was inspired from action-owasp-dependecy-track-check and gh-upload-sbom.
Required Dependency-Track hostname
Required Dependency-Track API key
**Required Project uuid in Dependency-Track
Path and filename of the BOM, default bom.xml
Path and filename of the output BOM, default out-bom.xml
The computed risk score
The number of vulnerabilities
The total number of violations
uses: Rosslight/DependencyTrackChecker@v1.3
with:
server-hostname: 'example.com'
api-key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}
project: 'dadec8ad-7053-4e8c-8044-7b6ef698e08d'
bom-filename: 'bom.json'
bom-output-filename: 'out-bom.json'