Back to Initiative Library
Security & Compliance Medium complexity

GitHub Actions SBOM Generation & Upload

GitHub Actions SBOM Supply Chain Security Compliance
Run this Initiative Get Demo
✦ Sample Prompt 
Add SBOM generation and upload to every GitHub Actions workflow that produces a
release artifact.

For each repository, find `.github/workflows/*.yml` jobs that:
- Build and push a container image (`docker buildx build --push`, `docker/build-push-action`)
- Publish a package (`npm publish`, `gem push`, `mvn deploy`, `gh release upload`)

In each such job:
1. Insert an `anchore/sbom-action@v0` step after the build/publish step:
   - For image builds: pass the pushed image reference, format `cyclonedx-json`,
     output `sbom.cdx.json`
   - For source/package builds: scan the workspace path, same format
2. Add an upload step that attaches the SBOM to the release:
   - For GitHub releases: `gh release upload ${{ github.ref_name }} sbom.cdx.json`
   - For JFrog/S3: use the upload action already in use in that workflow
3. Skip workflows that already have an SBOM step (any `anchore/sbom-action`,
   `CycloneDX/gh-*`, or `syft` step).
4. Do not modify workflows that only run tests/lint with no published artifact.

The Problem

Software bill of materials (SBOMs) are now a baseline requirement for FedRAMP, EU CRA, and most enterprise procurement reviews. The technical fix is simple (add a Syft/CycloneDX step to every build and upload the result) but rolling it out across hundreds of build pipelines is the slow part.

Half your workflows use container builds, the other half use language-native tooling. Some upload artifacts to GitHub releases, others to JFrog or S3. The SBOM step needs to slot in after the build but before the upload, with the right format and the right destination.

What Tidra Does

  1. Identifies every .github/workflows/*.yml that produces a release artifact (image push, npm publish, release upload)
  2. Inserts an anchore/sbom-action step after the build, configured for CycloneDX JSON output
  3. Adds an upload step that attaches the SBOM to the release or pushes it to your artifact registry
  4. Skips workflows that already have an SBOM step
  5. Opens one PR per repo and links to the compliance ticket the rollout is for

Before & After

diff
.github/workflows/release.yml
@@ -22,6 +22,15 @@
- name: Build and push image
run: docker buildx build --push -t $IMAGE .
+ - name: Generate SBOM
+ uses: anchore/sbom-action@v0
+ with:
+ image: ${{ env.IMAGE }}
+ format: cyclonedx-json
+ output-file: sbom.cdx.json
+
+ - name: Attach SBOM to release
+ run: gh release upload ${{ github.ref_name }} sbom.cdx.json

Customization Tips

  • Format: Defaults to CycloneDX JSON. Switch to SPDX if your downstream tooling (e.g. Dependency-Track) requires it.
  • Signing: Add a cosign attest step in the prompt if your compliance program requires signed SBOMs.
  • Destination: Tell Tidra where SBOMs should land: GitHub release assets, JFrog repository, S3 bucket, or your SBOM management platform.

Ready to run this across your repos?

Connect your Git provider and Tidra opens pull requests in every repo that needs them.

Run this Initiative Get Demo