Generating build-time SBOMs with CycloneDX and Kondukto

Luis Pereira20 Jan 2025
dotnet CycloneDX Conduit.sln -o .
dotnet CycloneDX -j Conduit.sln -o .
docker run --rm -v $PWD:/src cyclonedx/cyclonedx-dotnet /src/Conduit.sln -rs -o /src -j
kdt sbom import -p aspnetcore-example-ap -b master -f bom.json -v
name: Build, Test, and Generate SBOM

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v4
    - uses: actions/setup-dotnet@v4
      with:
        dotnet-version: 8.0.204

    # Restore, build, and test .NET project
    - run: |
        dotnet restore build/build.csproj
        dotnet build build/build.csproj
        dotnet test build/build.csproj
      
    # Install CycloneDX CLI for SBOM generation
    - name: Install CycloneDX CLI
      run: dotnet tool install --global CycloneDX

    # Install Kondukto CLI for SBOM import
    - name: Install Kondukto CLI
      run: |
        curl -sSL https://cli.kondukto.io | sudo sh

    # Generate SBOM with CycloneDX
    - name: Generate SBOM
      run: |
        dotnet CycloneDX Conduit.sln -j -o out
        ls -al
      shell: bash

    # Import SBOM into Kondukto
    - name: Import SBOM to Kondukto
      env:
        KONDUKTO_HOST: https://konduktolab.kondukto.io
        KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_SECRETS1 }}
      run: |
        kdt sbom import -p aspnetcore-example-ap -f out/bom.json -b main

Get A Demo