Generate an SBOM in CI with GitHub Actions
Add a GitHub Actions step that runs vg sbom export on every push and uploads the CycloneDX SBOM as a build artifact, so every build ships a fresh inventory.
Generating an SBOM by hand is easy to forget. Wiring it into CI means every build emits an up-to-date inventory automatically. This tutorial adds a GitHub Actions step that exports a CycloneDX SBOM and stores it as a workflow artifact.
Prerequisites
- A GitHub repository
- A project with a dependency manifest
Steps
1. Add a CI workflow file
Create .github/workflows/sbom.yml with a job that checks out the code and sets up Node.js.
2. Install the CLI in the job
Use the no-install form so there is nothing global to manage:
npx @vibgrate/cli scan
This scans the checked-out repository and prepares the artifacts the SBOM is built from.
3. Export the SBOM
Add a step that exports the CycloneDX SBOM to a file:
vg sbom export --format cyclonedx --out sbom.cdx.json
If you are using the no-install form throughout, prefix with npx @vibgrate/cli instead of vg.
4. Upload the SBOM artifact
Use actions/upload-artifact to persist sbom.cdx.json from the run. A complete workflow looks like:
name: SBOM
on: [push]
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npx @vibgrate/cli scan
- run: npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json
- uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.cdx.json
5. Run and confirm the workflow
Push a commit to trigger the workflow. When it finishes, the sbom artifact is attached to the run for download.
Verification
The job succeeds (exit code 0) and the run's Artifacts section lists sbom.cdx.json. Download it and confirm the components array is populated.
Next Steps
Attach the generated SBOM to your releases, and combine SBOM export with a drift gate so one CI job covers both inventory and quality.