Skip to content

bifrostsec/submit-sbom-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

Submit SBOM to bifrost action

A GitHub Action that submits Software Bill of Materials (SBOM) files to the bifrost API to analyze your services for known vulnerabilities and security risks.

Prerequisites

  • A bifrost organization and service set up to receive SBOMs. See Get started for more information.
  • A valid bifrost API token. Navigate to your organization settings and create a new token under API access tokens.
  • An SBOM file generated by your build process
  • GitHub repository with Actions enabled

Usage

Basic Example

name: build
on:
  pull_request:

jobs:
  build:
    name: Build and submit SBOM
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v6
      - name: Build code
        run: make build
      - name: Generate SBOM
        run: # execute tool that generates SBOM output to file
      - name: Send SBOM to bifrost
        uses: bifrostsec/submit-sbom-action@v1
        with:
          api-token: ${{ secrets.BIFROST_API_TOKEN }}
          service: 'my-service'
          service-version: 'v1.0.0'
          image: 'my-org/my-service:latest'
          sbom-path: 'build/sbom.spdx'

Syft SBOM generation example

name: build
on:
  pull_request:

jobs:
  build:
    name: Build and submit SBOM
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v6
        
      - name: Build code
        run: make build
        
        # Generate SBOM using anchore/sbom-action (syft)
      - name: Generate SBOM
        uses: anchore/sbom-action@v0.21.1
        with:
          path: .
          format: spdx-json
          output-file: build/sbom.spdx
          
      - name: Send SBOM to bifrost
        uses: bifrostsec/submit-sbom-action@v1
        with:
          api-token: ${{ secrets.BIFROST_API_TOKEN }}
          service: 'my-service'
          service-version: 'v1.0.0'
          image: 'my-org/my-service:latest'
          sbom-path: 'build/sbom.spdx'

Advanced Example with Custom Retry Configuration

The action includes automatic retry logic for handling transient network errors. You can customize the retry behavior:

      - name: Send SBOM to bifrost
        uses: bifrostsec/submit-sbom-action@v1
        with:
          api-token: ${{ secrets.BIFROST_API_TOKEN }}
          service: 'my-service'
          service-version: 'v1.0.0'
          image: 'my-org/my-service:latest'
          sbom-path: 'build/sbom.spdx'
          retry-attempts: '5'
          retry-delay: '10'

Note: If you want the workflow to continue even if this action fails, you can use GitHub's built-in continue-on-error setting. See the GitHub Actions workflow syntax documentation for more information.

Inputs

Input Description Required Default
api-token Bearer token for Bifrost API authentication Yes -
service Your Service name Yes -
service-version Your Service version Yes -
sbom-path Path to the SBOM file to submit Yes -
image Container image name No -
retry-attempts Number of retry attempts for failed requests No 3
retry-delay Delay in seconds between retry attempts No 5

Outputs

This action does not provide explicit output values. Instead, it uses GitHub Actions' standard exit behavior:

  • On successful SBOM submission, the action completes successfully
  • On failure, the action fails and stops the workflow (unless continue-on-error is set)

API Requirements

This action submits SBOMs to the Bifrost API using the following endpoint:

POST https://portal.bifrostsec.com/api/v2/service/{service}/version/{version}/sbom?image={image}

The request includes:

  • Authorization: Bearer {api-token} header
  • Content-Type: application/json header
  • SBOM file contents as the request body

Read the bifrost API documentation for more details on authentication and request formats.

Security

Storing API Tokens

Always store your bifrost API token as a GitHub Secret:

  1. Go to your repository Settings > Secrets and variables > Actions
  2. Click "New repository secret"
  3. Name: BIFROST_API_TOKEN
  4. Value: Your bifrost API token
  5. Click "Add secret"

Never hardcode API tokens in your workflow files or commit them to your repository.

Troubleshooting

SBOM file not found

Error: Error: SBOM file not found at build/sbom.spdx

Solution: Ensure your SBOM generation step runs before this action and outputs to the correct path. Check that the path specified in sbom-path matches where your SBOM is generated.

Authentication failed (HTTP 401)

Error: Failed to submit SBOM (HTTP 401)

Solution:

  • Verify your API token is correct and not expired
  • Check that the secret is properly configured in GitHub

Invalid SBOM format

Error: Failed to submit SBOM (HTTP 400) Error Message: Unknown SBOM format: must be either 'SPDX' or 'CycloneDX'

Solution:

  • Verify your SBOM file is in a format accepted by bifrost (SPDX or CycloneDX). See documentation SBOM Formats
  • Check the SBOM file is valid JSON

Versioning

This action follows semantic versioning. When using this action, you can specify:

  • @v1 - Latest v1.x.x release (recommended for most users)
  • @v1.0.0 - Specific version for maximum stability
  • @main - Latest development version (not recommended for production)

License

This project is licensed under the MIT License - see the LICENSE file for details.

Related Projects

About

GitHub Action for sending SBOM to bifrost

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

Add action branding Latest
Jan 20, 2026
+ 1 release

Packages

No packages published

Languages