This Action ingests various artifacts (such as SBOMs, SLSA and other attestations) into the Kusari Platform as part of your github workflow. This will enable quick and easy integration to your tenant with very minimal input.
Authentication credentials (client-id, client-secret) are provided by the Kusari team.
For details on how to query and utilize the data upon ingestion, please see our documentataion.
See action.yaml
steps:
- uses: actions/checkout@v4
- uses: [Your build and SBOM/Provenance generation steps]
- uses: kusaridev/kusari-ingest@v0
name: Kusari Ingestion
with:
file-path: './spdx.json'
tenant-endpoint: 'https://[kusari-tenant-id].api.us.kusari.cloud'
client-id: ${{ secrets.KUSARI_CLIENT_ID }}
client-secret: ${{ secrets.KUSARI_CLIENT_SECRET }}Required - Path to directory or specific file to ingest
Required - Kusari Platform tenant api endpoint
Required - Client id for auth token provider
Required - Client secret for auth token provider
Required - Kusari Platform auth token provider endpoint
Optional - Alias of the package for grouping. Default: ""
Optional - Type of the file being uploaded. Default: ""
Optional - Set to true if ingesting an OpenVEX document. When true, tag is required and so is one of software-id and sbom-subject. Default: false
Optional - Tag for the document. Currently only used for OpenVEX. Example: govulncheck
Optional - Kusari Platform software ID that the document applies to. Currently only used for OpenVEX. Example: 1234
Optional - Kusari Platform software SBOM subject substring value that uniquely indicates which software that the document applies to. Currently only used for OpenVex. Example: kusari-ingest
Optional - Kusari Platform software component name (multiple SBOM subjects can belong to the same component). If a component with this name does not exist, it will be created. Default: ${{ github.event.repository.name }}. Example: kusari-ingest
Optional - Check SBOM dependencies against the Blocked Package list in the Kusari Platform. If a blocked package is found the program will terminate with a non-zero exit status, failing the job. Default: false
Optional - SBOM Subject Name override (for SBOMs only). This allows you to override the subject name extracted from the SBOM document. Default: ""
Optional - SBOM Subject Version override (for SBOMs only). This allows you to override the subject version extracted from the SBOM document. Default: ""
Optional - Wait for ingestion status. When set to true, the action will wait for the ingestion process to complete and report the final status. When set to false, the action will return immediately after uploading without waiting for processing to complete. Default: true
The action automatically captures repository metadata to enable traceability for dependency updates and code changes:
| Metadata | Source | Example |
|---|---|---|
forge |
GitHub server URL | github.com or github.enterprise.com |
org |
Repository owner | kusaridev |
repo |
Repository name | kusari-ingest |
subrepo_path |
Derived from file-path |
app/frontend (from app/frontend/sbom.json) |
This metadata is automatically attached to uploaded SBOMs without any additional configuration.
Raw output of the kusari CLI upload command
The scripts and documentation in this project are released under the Apache License