A set of GitHub Actions for interacting with different Sonatype products.
Sonatype GitHub Actions also support integration with GitHub Code Scanning, part of the GitHub Advanced Security feature, which displays detected vulnerabilities on the GitHub Security tab. You can use the evaluate or run-iq-cli actions in combination with the upload-sarif-file parameter to take advantage of this functionality. GitHub Advanced Security is available for GitHub Enterprise customers and public repositories.
The action set currently contains a couple of top-level actions:
Additionally, for developers who require more fine-grained control over the actions' configuration, a set of advanced actions are also provided:
Here's a typical usage example that evaluates an npm project against a Sonatype Lifecycle instance and retrieves the associated SBOM (Software Bill of Materials) file:
name: Sonatype Workflow on: push jobs: sonatype-cli: runs-on: ubuntu-latest steps: # Check out your code - name: Checkout id: checkout uses: actions/checkout@v4 # Perform an evaluation - name: Run evaluate action id: evaluate uses: sonatype/actions/evaluate@v1 with: iq-server-url: https://your.lifecycle.server username: ${{ secrets.LIFECYCLE_USERNAME }} password: ${{ secrets.LIFECYCLE_PASSWORD }} application-id: lifecycle-app scan-targets: package.json package-lock.json # Fetch the SBOM file associated with the evaluation - name: Fetch SBOM uses: sonatype/actions/fetch-sbom@v1 if: ( success() || failure() ) && steps.evaluate.outputs.scan-id with: iq-server-url: https://your.lifecycle.server username: ${{ secrets.LIFECYCLE_USERNAME }} password: ${{ secrets.LIFECYCLE_PASSWORD }} application-id: lifecycle-app scan-id: ${{ steps.evaluate.outputs.scan-id }} sbom-standard: cyclonedx sbom-version: 1.5 sbom-format: json artifact-name: lifecycle-app-sbom.jsonFor more details on the supported parameters for each action, refer to the individual action documentation.