Skip to content

feat: add multi-format SBOM generation with GitHub Action#56

Open
jgamblin wants to merge 7 commits intoCERTCC:mainfrom
jgamblin:feature/sbom
Open

feat: add multi-format SBOM generation with GitHub Action#56
jgamblin wants to merge 7 commits intoCERTCC:mainfrom
jgamblin:feature/sbom

Conversation

@jgamblin
Copy link
Copy Markdown
Contributor

@jgamblin jgamblin commented Apr 3, 2026
edited
Loading

Summary

  • Adds SBOM generator producing CycloneDX 1.6, SPDX 2.3 (JSON + tag-value), and Markdown for all 21 runtime components and 139 dev/CI dependencies
  • GitHub Action workflow auto-regenerates SBOMs on dependency-relevant file changes and opens a PR
  • Modular Node.js scripts under scripts/sbom/ with 28 tests (extraction, CycloneDX, SPDX, Markdown)

Closes #53

Files

Generator modules:

  • scripts/generate-sbom.mjs — Main entry point
  • scripts/sbom/extract.mjs — Component data extraction from HTML, JS, vendored dirs, package.json, workflow YAML
  • scripts/sbom/cyclonedx.mjs — CycloneDX 1.6 JSON output
  • scripts/sbom/spdx.mjs — SPDX 2.3 JSON and tag-value output
  • scripts/sbom/markdown.mjs — Human-readable Markdown summary

Generated SBOM output (docs/sbom/):

  • SBOM.md, cyclonedx-runtime.json, cyclonedx-dev.json, spdx-runtime.json, spdx-dev.json, spdx-runtime.spdx, spdx-dev.spdx

CI/CD:

  • .github/workflows/generate-sbom.yml — Triggers on main push or manual dispatch, auto-opens PR with updated SBOMs

Tests (tests/sbom/):

  • extract.test.js, cyclonedx.test.js, spdx.test.js, markdown.test.js

Test plan

  • All 79 tests pass (28 new SBOM + 51 existing)
  • Generator produces 7 output files covering 21 runtime + 139 dev components
  • CycloneDX output includes purls, SRI hashes, and license info
  • SPDX output includes DESCRIBES/DEPENDS_ON relationships
  • Verify GitHub Action triggers correctly on merge

🤖 Generated with Claude Code

jgamblin and others added 7 commits April 3, 2026 17:41
@jgamblin @claude
feat(sbom): add component data extraction module with tests
9d35fe5 
Extracts CDN deps from HTML, source file versions, vendored lib versions,
npm dev deps, and GitHub Actions from workflow files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jgamblin @claude
feat(sbom): add CycloneDX 1.6 JSON generator with tests
928a98c 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jgamblin @claude
feat(sbom): add SPDX 2.3 JSON and tag-value generators with tests
c18aa84 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jgamblin @claude
feat(sbom): add Markdown summary generator with tests
05a617e 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jgamblin @claude
feat(sbom): add main generator script and initial SBOM output
5282261 
Generates CycloneDX 1.6, SPDX 2.3 (JSON + tag-value), and Markdown
SBOM files for 20 runtime components and 139 dev/CI dependencies.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jgamblin @claude
ci: add GitHub Action to auto-generate and PR SBOM updates
b070a8e 
Triggers on pushes to main that change dependency-relevant files,
or via manual workflow_dispatch.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jgamblin @claude
fix(sbom): increase ace.js scan range to capture version string
d9f421c 
The version string in ace.js was at byte 56424, past the previous
50000 byte limit. Bumped to 60000 to reliably extract it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add SBOM that identifies all components being used.

1 participant

@jgamblin