Generate a Mobile SBOM for an application and submit to the Dependency submission API.
Features:
- Integrates with GitHub's Dependency submission API to display mobile dependencies inside of GitHub Dependabot alerts,
- Run scans for each commit, or periodically;
This action requires a NowSecure Platform license. If you are not a NowSecure customer, click here to sign up for a free trial to get access.
If you are an existing NowSecure customer, proceed with the instructions below.
- NowSecure Platform token in GitHub secrets,
- In NowSecure Platform, go to "Profile & Preferences" to create a token for GitHub,
- In GitHub repository settings, click "Secrets" then "New repository secret". Name the secret
NS_TOKEN
;
- Group ID;
Go to the GitHub Marketplace and click the "NowSecure Mobile SBOM" action, then click "Use latest version" and follow the annotated workflow.
For an existing workflow,
The action must be run on an ubuntu-latest
GitHub Action runner.
After the application build step run the NowSecure Mobile SBOM action:
- name: NowSecure upload app
uses: nowsecure/nowsecure-sbom-action@v3
timeout-minutes: 60
with:
platform_token: ${{ secrets.NS_TOKEN }}
app_file: $APPLICATION_PATH # REPLACE: The path to an .ipa or .apk
group_id: $GROUP_ID # REPLACE: NowSecure Group ID
For a new workflow,
Add a new file called nowsecure-sbom.yml
in your .github/workflows
folder and review the example.
This project is released under the MIT License.
NowSecure Platform, used in this action, has separate Terms and Conditions and requires a valid license to function.