Skip to main content

Attach an SBOM to a GitHub Release

Generate a CycloneDX SBOM during your GitHub release workflow and publish it as a release asset, giving downstream consumers a verifiable per-version component inventory.

Difficulty
Intermediate
Duration
18 minutes
Steps
5

Consumers of your software increasingly expect a per-version SBOM. Attaching one to each GitHub Release gives them a verifiable inventory tied exactly to the artifacts they download. This tutorial generates a CycloneDX SBOM during a release run and publishes it as a release asset.

Prerequisites

  • A GitHub repository that publishes tagged releases
  • Permission to publish release assets

Steps

1. Trigger the workflow on release

Create a workflow that runs when a release is published, using the release event with types: [published].

2. Scan the tagged commit

The workflow checks out the tagged commit and scans it:

npx @vibgrate/cli scan

This ensures the SBOM reflects exactly what shipped in this version.

3. Export the SBOM

Export the CycloneDX SBOM to a file:

vg sbom export --format cyclonedx --out sbom.cdx.json

With the no-install form, prefix with npx @vibgrate/cli.

4. Upload the SBOM as a release asset

Use the GitHub CLI to attach the file to the release that triggered the run:

gh release upload "$GITHUB_REF_NAME" sbom.cdx.json

A full workflow:

name: Release SBOM
on:
  release:
    types: [published]
jobs:
  sbom:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npx @vibgrate/cli scan
      - run: npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json
      - run: gh release upload "$GITHUB_REF_NAME" sbom.cdx.json
        env:
          GH_TOKEN: ${{ github.token }}

5. Confirm the asset on the release

Open the release page; sbom.cdx.json appears in the Assets list.

Verification

The job exits 0 and the release page lists the SBOM as a downloadable asset tied to the version tag.

Next Steps

Generate the SBOM as part of a broader release pipeline, and push your scan to Vibgrate Cloud for trend tracking across versions.

Prerequisites

  • A GitHub repository with tagged releases
  • Permission to publish release assets

Steps

  • 1
    Trigger the workflow on release
  • 2
    Scan the tagged commit
  • 3
    Export the SBOM
  • 4
    Upload the SBOM as a release asset
  • 5
    Confirm the asset on the release

Category

Vibgrate