GitHub Action

Customers using GitHub should use the kusari-ingest action for seamless integration. This Action ingests various artifacts (such as SBOMs, SLSA and other attestations) into the Kusari Platform as part of your GitHub workflow.

Basic Usage​

jobs:
  build:
    steps:
      - uses: actions/checkout@v4

      - uses: [Your build and SBOM/Provenance generation steps]

      - uses: kusaridev/kusari-ingest@f28d0be1bb0cddcbc83f37f50dd2cd66f5c76ffb #v2.0.7
        name: Kusari Ingestion
        with:
          file-path: './spdx.json'
          tenant-endpoint: 'https://[tenant_name].api.us.kusari.cloud'
          client-id: ${{ secrets.KUSARI_CLIENT_ID }}
          client-secret: ${{ secrets.KUSARI_CLIENT_SECRET }}

      - uses: [Rest of your build steps]

Required Inputs​

• file-path: Path to directory or specific file to ingest
• tenant-endpoint: Kusari Platform tenant API endpoint
• client-id: Client ID for auth token provider (store as GitHub secret)
• client-secret: Client secret for auth token provider (store as GitHub secret)

Optional Inputs​

• component-name: Component name for grouping multiple SBOM subjects. If a component with this name does not exist, it will be created. Default: ${{ github.event.repository.name }}
• check-blocked-packages: Set to true to check if the SBOMs have any dependencies found in your blocked package list. If a blocked package is found, the program will terminate with a non-zero exit status, failing the job. Default: false
• document-type: Type of the file being uploaded (e.g., source, build, or image for different types of SBOMs). Default: ""
• alias: Alias of the package for grouping. Default: ""
• open-vex: Set to true if ingesting an OpenVEX document. When true, tag is required and so is one of software-id or sbom-subject. Default: false
• tag: Tag for the document. Currently only used for OpenVEX (e.g., govulncheck)
• software-id: Kusari Platform software ID that the document applies to. Currently only used for OpenVEX (e.g., 1234)
• sbom-subject: Kusari Platform software SBOM subject substring value that uniquely indicates which software the document applies to. Currently only used for OpenVEX (e.g., kusari-ingest)
• sbom-subject-name-override: SBOM Subject Name override (for SBOMs only). This allows you to override the subject name extracted from the SBOM document. Default: ""
• sbom-subject-version-override: SBOM Subject Version override (for SBOMs only). This allows you to override the subject version extracted from the SBOM document. Default: ""

Examples​

Example with Component Name, Blocked Packages Check, and Document Type​

Setting the component-name to "my super cool project", enabling the check-blocked-packages and adding the document-type to specify that it's an image SBOM:

jobs:
  build:
    steps:
      - uses: actions/checkout@v4

      - uses: [Your build and SBOM/Provenance generation steps]

      - uses: kusaridev/kusari-ingest@f28d0be1bb0cddcbc83f37f50dd2cd66f5c76ffb #v2.0.7
        name: Kusari Ingestion
        with:
          file-path: './spdx.json'
          tenant-endpoint: 'https://[kusari-tenant-id].api.us.kusari.cloud'
          client-id: ${{ secrets.KUSARI_CLIENT_ID }}
          client-secret: ${{ secrets.KUSARI_CLIENT_SECRET }}
          component-name: 'my super cool project'
          check-blocked-packages: true
          document-type: 'image'

      - uses: [Rest of your build steps]

Example screenshot showing some blocked packages found:

Actions secrets​

We recommend storing the Kusari Platform credential as organization-level secrets for ease of sharing between different code repos. See creating secrets for an organization for details.